SafeDep identified malicious axios releases 1.14.1 and 0.30.4 published to npm after an apparent maintainer account compromise, with no matching GitHub tag or provenance for the 1.14.1 package. The attacker made a narrow manifest-only change by adding the lookalike dependency plain-crypto-js, whose postinstall setup.js executed automatically during installation. The obfuscated loader contacted hxxp://sfrclak[.]com:8000/6202033 and used OS-specific requests to retrieve macOS, Windows, and Linux payloads, including /Library/Caches/com.apple.act.mond on macOS and /tmp/ld.py on Linux. The report provides package hashes, Proton Mail publisher accounts, C2 IP 142.11.206.73, and process/file indicators that help defenders hunt for install-time compromise across developer and CI environments.