Hunt.io traces the Axios npm compromise to a staged operation involving takeover of maintainer jasonsaayman's npm account, publication of malicious axios releases, and weaponization of [email protected] as a postinstall dropper. The dropper hid its strings with XOR and reversed Base64, detected the victim OS, and pulled platform-specific RATs from sfrclak.com:8000 at 142.11.206.73 using product identifiers for macOS, Windows, and Linux payloads. The RATs shared commands for killing the implant, dropping binaries, running scripts, and browsing files; Windows also used a renamed PowerShell binary, hidden VBScript execution, execution-policy bypass, and Registry Run-key persistence. Hunt.io links the C2 infrastructure to TA444/BlueNoroff through a shared ETag with a known JustJoin server, Hostwinds AS54290 subnet overlap, and NukeSped malware classification, making the supply-chain event relevant to DPRK-linked intrusion tracking.