Microsoft attributed the malicious axios npm releases 1.14.1 and 0.30.4 and their command-and-control infrastructure to Sapphire Sleet, a North Korean state actor. The compromise inserted the fake dependency [email protected] so npm installation or update would run setup.js without changing axios application logic. The loader contacted hxxp://sfrclak[.]com:8000/6202033, sent platform-specific POST bodies, and retrieved RAT payloads for macOS, Windows, and Linux. Windows execution used a VBScript stager, copied PowerShell to %PROGRAMDATA%\wt.exe, and added persistence through %PROGRAMDATA%\system.bat and an HKCU MicrosoftUpdate run key. Microsoft advised affected users to rotate secrets and downgrade to safe axios versions because the install-time hook could affect developer endpoints and CI/CD systems.