On March 31, 2026, Sapphire Sleet (a North Korean state-sponsored threat actor tracked by Microsoft) published two malicious versions of axios (1.14.1 and 0.30.4) to npm. Axios is one of the most widely used JavaScript HTTP client libraries with over 70 million weekly downloads. The malicious versions injected a backdoored dependency that connected to attacker-controlled C2 infrastructure (sfrclak[.]com). Upon successful C2 connection, a second-stage remote access trojan (RAT) was deployed targeting macOS, Windows, and Linux. Microsoft published detection and mitigation guidance on April 1, 2026. Safe versions are 1.14.0 and 0.30.3. Recommended response includes rotating all secrets and credentials, reviewing CI/CD pipeline logs for outbound C2 connections, and disabling postinstall scripts. The incident is attributed to the same North Korean actor responsible for TraderTraitor/UNC4736 campaigns targeting the crypto/DeFi sector.