NVISO describes hunting and response activity for the Axios npm supply-chain incident, where compromised Axios releases added the trojanized [email protected] dependency and deployed cross-platform RAT payloads. Its MDR telemetry observed activity mainly on developer workstations and Docker containers, with Windows infections launching setup.js through node.exe, copying PowerShell to C:\ProgramData\wt.exe, staging 6202033.vbs and 6202033.ps1, and communicating with sfrclak.com:8000/6202033. The second-stage PowerShell behavior included system and filesystem reconnaissance, local enumeration, C2 communication, and persistence via a Run-key value named MicrosoftUpdate pointing to C:\ProgramData\system.bat. NVISO provides Defender KQL hunts for network, process, file, and registry traces, including domains sfrclak.com, callnrwise.com, calltan.com, IPs 142.11.206.73 and 23.254.167.216, and hashes for setup.js, payloads, packages, and persistence artifacts. The guidance emphasizes isolating affected endpoints, rotating secrets, blocking IOCs, and rebuilding CI/CD artifacts from clean pinned dependency versions.