Axios npm package compromised to deploy malware

This report catalogs indicators and artifacts from a malicious supply‑chain campaign distributing trojanized Axios/npm packages (e.g., axios-1.14.1.tgz, axios-0.30.4.tgz, plain-crypto-js-4.2.1.tgz) and related payloads for Windows, macOS, and Linux. It provides MD5/SHA1/SHA256 hashes, filenames (setup.js, system.bat, ld.py, com.apple.act.mond), C2 domains and URLs (sfrclak.com, callnrwise.com, http://sfrclak.com:8000/6202033), an IP (142.11.206.73), attacker email addresses ([email protected], [email protected]), and Windows file locations such as C:\ProgramData\wt.exe and C:\ProgramData\system.bat; the Windows second-stage is identified as a PowerShell RAT.