The analysis describes an axios supply-chain compromise in which axios v1.14.1 and v0.30.4 were published directly through npm CLI with a malicious plain-crypto-js dependency, diverging from normal GitHub Actions OIDC provenance. The attacker reportedly compromised the maintainer's npm and GitHub accounts, changed npm account email details, suppressed a GitHub issue reporting the compromise, and kept the malicious packages live for about three hours and nineteen minutes before npm administrators removed them and revoked tokens. The setup.js dropper used layered obfuscation, selected payloads by operating system, contacted http://sfrclak.com:8000/6202033, and deployed Windows PowerShell, Linux Python, and macOS native RAT components. The payloads supported persistence, host reconnaissance, process listing, filesystem enumeration, command execution, and follow-on payload execution, with infrastructure tied to 142.11.206.73:8000 and a distinctive legacy IE8-style User-Agent. The account takeover and lack of provenance on the malicious releases provide practical detection points for package maintainers and organizations auditing npm dependency exposure.