Inside the Axios supply chain compromise - one RAT to rule them all

**Elastic Security Labs identified a supply‑chain compromise of the widely used npm package axios (malicious releases 1.14.1 and 0.30.4) where a postinstall dependency plain-crypto-js silently downloaded platform-specific stage‑2 implants from sfrclak.com:8000; the implants are three native implementations of the same cross‑platform RAT (Windows PowerShell, macOS C++, Linux Python) sharing identical C2 protocol, commands, beacon cadence and a spoofed IE8/Windows XP user‑agent, and the dropper performs self-deletion and package.json swapping to erase evidence (indicators include domain sfrclak.com, IP 142.11.206.73, and listed SHA-256 hashes).