SECUI STIC analyzes an Axios supply-chain compromise in which attackers stole maintainer credentials and altered npm installation behavior so a malicious setup.js loader ran automatically when affected packages were installed. The loader used custom obfuscation, Base64 decoding, and XOR decryption with the fixed key OrDeR_7077 to recover strings and assemble downloader behavior tailored to the infected system. The report says infrastructure used in the attack partially overlapped with infrastructure previously observed in North Korea-linked activity, and it cites that overlap as the basis for pointing to a North Korean threat group. Defensive guidance focuses on checking exposure to Axios 1.14.1 and 0.30.4, looking for %PROGRAMDATA%\wt.exe, reviewing traffic to 142.11.206.73, and rotating credentials used on infected systems.