Derp's analysis found that Axios 1.14.1 introduced a single new dependency, [email protected], whose postinstall hook ran an obfuscated JavaScript dropper during npm install. The compromise lasted 169 minutes, affected Axios 1.14.1 and 0.30.4, and used a stolen long-lived classic npm access token to bypass the project's GitHub Actions OIDC Trusted Publisher workflow. The dropper decoded a string table, detected Windows, macOS, or Linux, and posted platform identifiers to http://sfrclak[.]com:8000/6202033 to retrieve RAT payloads. Recovered payloads included a macOS Mach-O RAT at /Library/Caches/com.apple.act.mond and a Windows PowerShell RAT, while the Linux Python RAT was listed by hash but not recovered before the C2 went offline. The macOS implant supported commands for kill, binary execution, AppleScript execution, and directory listing, and collected host, user, OS, hardware, process, and filesystem information.