Veracode found that [email protected] and [email protected] were published after an npm account compromise, with the only Axios change being the addition of plain-crypto-js as a dependency. That dependency was never imported by Axios and existed to run a postinstall setup.js dropper, which used reversed Base64 strings and XOR obfuscation before branching by operating system. The dropper downloaded payloads from hxxp://sfrclak[.]com:8000/6202033, placing a macOS binary at /Library/Caches/com.apple.act.mond, a Windows PowerShell RAT through %PROGRAMDATA%\wt.exe and temporary scripts, and a Linux Python RAT at /tmp/ld.py. After execution, it deleted setup.js and swapped in a clean package.json from package.md, leaving a lockfile/package metadata mismatch as a residual clue. Veracode also identified affected downstream packages that carried the same malicious payload through vendored or mirrored dependencies.