Cisco Talos found that attackers published malicious Axios npm versions 1.14.1 and 0.30.4 on March 31, 2026, leaving the widely used JavaScript HTTP client exposed for about three hours. The modified packages introduced a fake dependency, plain-crypto-js, whose post-install script contacted 142[.]11[.]206[.]73 and delivered platform-specific payloads for macOS, Windows, and Linux. The payloads included a macOS binary named com.apple.act.mond, a Windows PowerShell chain using %PROGRAM DATA%\wt.exe, and a Linux Python backdoor with remote access trojan capabilities for information gathering and follow-on execution. Talos assessed that credentials present on systems that installed the malicious packages should be treated as compromised because the actor gained both exfiltration and remote management capabilities.