An attacker compromised the npm account of a lead Axios maintainer on March 30, and used it to publish two malicious versions of the widely used JavaScript HTTP client library.

The breach exposed non-sensitive environment variables, and a threat actor operating under the ShinyHunters name has claimed responsibility.