Huntress observed active exploitation of the axios npm supply-chain compromise, with malicious [email protected] and [email protected] delivering a cross-platform RAT through the [email protected] postinstall hook. The update notes multiple indicators pointing to North Korean state-sponsored activity, including overlaps between the macOS payload and a DPRK-linked backdoor, the macWebT project name’s connection to BlueNoroff’s RustBucket webT module, and Google Threat Intelligence Group attribution to UNC1069. Huntress reported at least 135 monitored endpoints contacting attacker C2 during the exposure window and documented Windows tradecraft including VBScript staging, a copied powershell.exe masquerading as %PROGRAMDATA%\wt.exe, and persistence via system.bat plus an HKCU Run key. The report advises treating affected hosts as fully compromised because the RAT supported credential theft, data exfiltration, reconnaissance, and follow-on execution even after the npm packages and C2 infrastructure were removed.