The post-mortem states that unauthorized access to the NPM publishing account allowed release of a compromised version of axios not matching the GitHub repository contents (https://github.com/axios/axios/issues/10636). The issue provides a timeline showing the malicious package was live for several hours and downloaded thousands of times before detection. Maintainers revoked credentials and deprecated the affected version following the incident.

The document reports that the attack was identified through community reports of anomalous behavior and internal package integrity checks (https://github.com/axios/axios/issues/10636). Axios confirms the compromise did not originate from the project's GitHub repository itself. The post-mortem lists exact version numbers impacted and directs users to verified releases.

According to the issue, axios maintains over 30 million weekly downloads on NPM at time of the event (https://github.com/axios/axios/issues/10636). The team documented response steps including account recovery and publication of a clean version. Comments on the associated Hacker News thread reference similar prior incidents but are not part of the primary post-mortem.