Attackers compromised the npm account of Axios maintainer jasonsaayman, likely through a long-lived classic npm token, and published malicious Axios versions 1.14.1 and 0.30.4. The only Axios package change was the addition of [email protected], whose postinstall hook ran an obfuscated Node.js dropper and contacted sfrclak.com:8000 for OS-specific RAT delivery. The macOS path installed a trojan binary at /Library/Caches/com.apple.act.mond, the Windows path used a disguised PowerShell copy and VBScript loader, and the Linux path downloaded a Python RAT to /tmp/ld.py. The campaign shows how registry credential theft can bypass upstream code review and CI/CD protections while spreading malicious transitive dependencies through trusted packages.