The ubiquitous JavaScript utility library 'is' with 2.8 million weekly downloads was compromised in a sophisticated supply chain attack, injecting backdoor malware that grants attackers remote code execution. Attackers hijacked maintainer accounts via phishing to publish malicious versions, impacting critical development tools and infrastructure across the ecosystem.