A supply chain attack compromised Axios version 1.14.1 on npm by injecting a malicious dependency, plain-crypto-js. The attack's impact was significantly amplified by default semver range resolutions and dynamic execution tools like npx, which bypassed standard lockfile protections during the exposure window.