Bitdefender attributes the axios incident to an unknown threat actor, not to any named state group, and describes a supply-chain compromise of the primary maintainer's npm account. The attacker published [email protected] and [email protected] with a hidden [email protected] dependency whose postinstall script downloaded platform-specific RAT payloads for Windows, macOS, and Linux. The Windows chain copied PowerShell to %PROGRAMDATA%\wt.exe, launched it with hidden execution-policy bypass flags, wrote %PROGRAMDATA%\system.bat, and persisted through an HKCU Run key named MicrosoftUpdate. The RAT contacted sfrclak[.]com:8000 and 142.11.206[.]73, enumerated user directories and host metadata, and supported remote PowerShell execution, process listing, directory browsing, binary injection, and self-termination. The report matters for defenders because developer machines and CI/CD systems that ran npm install during the exposure window may have exposed environment variables, cloud keys, SSH keys, npm tokens, and other build secrets.