An attacker compromised the npm account of a lead Axios maintainer on March 30, and used it to publish two malicious versions ...
And the funny thing is, it seems like it's completely legal.