Invictus assessed the Axios npm compromise as a separate supply-chain incident in which a lead maintainer account was hijacked to publish trojanized versions 1.14.1 and 0.30.4. The malicious releases added plain-crypto-js, deploying a cross-platform RAT against developer workstations and build environments on Windows, macOS, and Linux. Open-source researchers noted overlaps with WAVESHAPER, attributed to DPRK-nexus UNC1069, and Invictus later identified an ETag and Hostwinds infrastructure overlap tying the Axios C2 to JustJoin landing-page infrastructure associated with DPRK-nexus activity. The RAT beaconed every 60 seconds over HTTP POST with base64-encoded JSON, enumerated user/configuration paths and system telemetry, and on Windows used reflective .NET loading plus a MicrosoftUpdate run key pointing to system.bat. Key infrastructure and artifacts included sfrclak[.]com, callnrwise[.]com, 23.254.167[.]216, %PROGRAMDATA%\wt.exe, /Library/Caches/com.apple.act.mond, and /tmp/ld.py.