OpenSourceMalware found three malicious npm packages linked to the March 2026 Axios compromise through the shared XOR key OrDeR_7077, while using separate C2 infrastructure at 18.208.244.120:9999. The packages redeem-onchain-sdk, nicegui, and period-newline used npm postinstall execution, self-deletion, package.json rewriting, and multi-layer obfuscation to conceal an infostealer. The malware collected host and user details, external IP data, developer credentials, cloud and npm secrets, SSH material, Docker registry authentication, browser login data, and recent git history before encrypted TCP exfiltration. The earlier Axios campaign was attributed by Google Threat Intelligence Group to UNC1069, a financially motivated North Korea-nexus actor, and Microsoft tracks the same activity as Sapphire Sleet.