Malicious axios versions 1.14.1 and 0.30.4 were published to npm through a compromised maintainer account, affecting both modern and legacy branches of a package with more than 100 million weekly downloads. The attacker did not alter Axios source code directly, but injected [email protected] as a runtime dependency so its obfuscated setup.js postinstall hook would execute during installation. The dropper contacted sfrclak.com:8000 and downloaded platform-specific RAT payloads for macOS, Windows, and Linux, using fake npm-looking POST paths such as packages.npm.org/product0, product1, and product2. The campaign also used a clean staged dependency version, ProtonMail-controlled publisher accounts, self-deleting artifacts, and filesystem paths such as /Library/Caches/com.apple.act.mond, %PROGRAMDATA%\wt.exe, and /tmp/ld.py, making lockfile, host, and network telemetry important for scoping exposure.