Elastic Security Labs analyzed the Axios npm supply-chain compromise in which a compromised maintainer account published backdoored [email protected] and [email protected] releases that pulled the malicious plain-crypto-js dependency. The dependency used an obfuscated postinstall dropper to contact sfrclak[.]com:8000 and deliver platform-specific RAT payloads for Windows, macOS, and Linux. The second-stage implants shared a common HTTP POST C2 protocol, Base64-encoded JSON messages, 60-second beaconing, an anomalous IE8/Windows XP user-agent, and commands for execution, directory enumeration, payload injection, and termination. The dropper also deleted setup.js and replaced package.json with a clean-looking copy, making lockfiles and telemetry important for incident response. The analysis matters because axios has very broad JavaScript ecosystem reach, so a short-lived malicious publish could expose many development and enterprise environments.