360 attributes the Axios npm supply-chain compromise to Lazarus with strong confidence, citing overlaps with GhostCall activity and RustBucket-related macOS components. Attackers hijacked the axios maintainer account and published malicious [email protected] and [email protected] releases that introduced the previously unused dependency [email protected] to execute a postinstall cross-platform RAT. The report links the incident to earlier activity using Telegram-to-meeting lures, PowerShell execution, credential theft, Run key persistence named MicrosoftUpdate, and payload delivery from domains such as microsmeet[.]xyz and bluyy[.]com. It also highlights RustBucket-adjacent macOS build strings such as macWebT and provides IOCs including kenaikoda[.]com, teams.onlivecall[.]com, 23.254.204[.]101, and multiple hashes for detection.