Axios npm compromised today - malicious versions dropped a self-cleaning RAT via fake dependency. Same attack pattern we've seen dozens of times: compromised maintainer, postinstall hook, credential theft. npm's model still treats maintainers as fully trusted. One weak password, millions at risk.