The StepSecurity report states that the Axios NPM package was compromised and malicious versions were published containing a remote access trojan (StepSecurity, https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan). Axios is identified as a core JavaScript library used by millions of projects.

The primary source notes the malicious code was injected into specific versions available on the NPM registry (StepSecurity, https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan). The report links to the Hacker News discussion with 877 points and 314 comments (https://news.ycombinator.com/item?id=47582220).

StepSecurity advises developers to audit dependencies for the affected versions and update accordingly (StepSecurity, https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan).