Unit 42 reports that compromised Axios npm releases v1.14.1 and v0.30.4 added a hidden dependency, plain-crypto-js, which executed a postinstall dropper and deployed cross-platform RAT payloads on macOS, Windows, and Linux. The infection chain used obfuscated Node.js, platform-specific downloads from sfrclak[.]com:8000, persistence on Windows, and periodic HTTP POST beaconing with commands for termination, script execution, binary payload execution, and directory enumeration. The malware performed reconnaissance, persistence, command execution, and anti-forensic cleanup, including removal of the postinstall artifacts and replacement of package metadata with a decoy. Unit 42 notes overlap with WAVESHAPER and prior activity reported as involving DPRK, but the excerpt does not independently attribute the Axios compromise beyond that overlap. The attack matters because Axios is widely used across JavaScript dependency chains, exposing organizations in multiple sectors and regions through normal npm installation workflows.