a north-korea-affiliated crew, named stardust chollima by researchers, injected a remote-access trojan into specific versions of the axios npm package, a code component downloaded roughly 100 million times a week. because the poison sits inside a shared building block of countless applications, the compromise reaches into software build pipelines across the whole technology sector rather than a single target.