Datadog analyzes the March 31, 2026 axios npm compromise in which a hijacked maintainer account published [email protected] and [email protected] with a new dependency on plain-crypto-js. The typosquatted package cloned crypto-js but added a postinstall setup.js script that decoded obfuscated strings, contacted http://sfrclak.com:8000/6202033, and retrieved platform-specific RAT payloads for macOS, Windows, and Linux. Registry metadata showed the malicious releases were published directly from the compromised jasonsaayman account with the attacker email [email protected], unlike the legitimate OIDC trusted publishing path used for [email protected]. Datadog notes the packages were available for about three hours, identifies filesystem and network indicators, and assesses with reasonable confidence that the activity is unrelated to the recent TeamPCP supply-chain campaign.