Socket analyzed the axios supply-chain compromise in which [email protected] and [email protected] pulled the malicious [email protected] dependency through npm. The dependency’s postinstall hook ran setup.js, decoded obfuscated module names, commands, paths, and C2 details, then routed victims to macOS, Windows, or Linux payload delivery paths. The shared C2 endpoint was sfrclak[.]com:8000, with POST bodies mimicking npm-related traffic such as packages[.]npm[.]org/product0, product1, and product2. Socket and Elastic analysis of the macOS second stage described a C++ RAT that fingerprints the host, beacons every 60 seconds, enumerates directories, executes commands or AppleScript, deploys additional binaries, and can terminate itself. The report notes no observed evidence linking the activity to recently reported TeamPCP campaigns.