Axios maintainer access was compromised to publish malicious [email protected] and [email protected] releases that added the typosquatted dependency [email protected] without changing the main Axios source. The malicious dependency used a postinstall hook to run an obfuscated Node.js dropper before application code executed, then branched by operating system to fetch macOS, Windows, or Linux payloads from sfrclak.com:8000. The macOS path downloaded a trojanized binary, the Windows path used VBScript and PowerShell, and the Linux path used a Python RAT launched with nohup, with the C2 distinguishing platforms through product-specific POST bodies. Google GTIG assessed the activity as likely UNC1069 or BlueNoroff, while Huntress, Elastic, and Volexity cited overlaps with BlueNoroff/RustBucket-style components, North Korea-linked backdoor structure, and prior campaign infrastructure such as calltan.com. The campaign is notable because it weaponized npm lifecycle scripts and dependency resolution in a high-download library, allowing compromise during installation before developers ran their own code.