The analysis attributes the March 2026 axios npm supply-chain compromise to BlueNoroff/Lazarus with high confidence, citing NukeSped classification, macWebT naming overlap with RustBucket webT, matching User-Agent behavior, Hostwinds infrastructure, and campaign TTP alignment. The attacker used a compromised axios maintainer account to publish [email protected] and [email protected] with a malicious [email protected] dependency that deployed Windows PowerShell, macOS Mach-O/C++, and Linux Python RAT payloads. The report reconstructs the C2 protocol and identifies sfrclak[.]com:8000 on 142.11.206.73, the /6202033 path, and callnrwise[.]com as related infrastructure, while noting some earlier domain-linkage claims were retracted. It also distinguishes likely downstream-victimized packages from attacker-controlled publishing accounts and frames the operation as part of a continuing DPRK npm and macOS targeting tempo.