In March 2026, someone hijacked a maintainer account for Axios, a JavaScript HTTP library downloaded more than 45 million times per week on npm, and pushed poisoned versions straight to the public ...