Attackers hijacked the jasonsaayman npm account and published malicious [email protected] and [email protected], adding [email protected] solely to run a postinstall dropper. The package contacted sfrclak[.]com:8000 and installed platform-specific RAT payloads on macOS, Windows, and Linux, including /Library/Caches/com.apple.act.mond, %PROGRAMDATA%\wt.exe, and /tmp/ld.py. Aikido notes the dropper deleted setup.js and replaced its package metadata with a clean stub, so responders should rely on logs and artifact checks rather than node_modules inspection alone. The report advises rebuilding affected hosts and rotating exposed npm, cloud, SSH, CI/CD, wallet, and environment secrets.