eSentire reports that two malicious Axios npm versions, 1.14.1 and 0.30.4, were published through a compromised maintainer account and remained live for about three hours. The tampered packages added a malicious dependency that ran a postinstall payload, SILKBELL, which contacted attacker infrastructure and downloaded a cross-platform RAT tracked as WAVESHAPER.V2 or ZshBucket. The activity is attributed in the excerpt to UNC1069, also tracked as Sapphire Sleet or STARDUST CHOLLIMA, and affected 19 eSentire customers, mostly software organizations in North America and EMEA. Windows and macOS infections were observed soon after publication, with shared C2 over port 8000 and platform-specific POST bodies used to retrieve operating-system-specific payloads. The case shows how a brief compromise of a high-volume developer package can rapidly reach CI/CD pipelines and endpoint fleets before community response removes the malicious releases.