Sophos CTU reported that Axios versions 1.14.1 and 0.30.4 were compromised after an apparent npm maintainer account takeover and used to deploy a cross-platform RAT. The malicious dependency executed during installation, retrieved platform-specific second-stage payloads from C2 infrastructure, and attempted to remove artifacts and replace package metadata with a clean version. Sophos telemetry first detected related activity around 00:45 UTC on March 31, 2026, with macOS, Windows, and Linux systems affected but no confirmed follow-on actor activity at publication time. CTU assessed it was highly likely NICKEL GLADSTONE, a North Korea-linked revenue-focused state-sponsored group, was responsible based on matching forensic metadata, C2 patterns, and links to malware exclusively used by the group.