Malicious Axios npm versions `[email protected]` and `[email protected]` were observed in a customer environment after attackers abused npm lifecycle execution through a hidden dependency. The postinstall chain launched shell and PowerShell activity, downloaded a secondary payload from attacker infrastructure, and led to suspected RAT deployment on developer or CI/CD systems. LevelBlue reported detections for abnormal process chains, renamed PowerShell activity, and outbound C2 communication, and recommended isolating and rebuilding affected hosts, rotating credentials, auditing builds, and disabling npm lifecycle scripts where feasible.