Breaking Down the Axios Supply Chain Attack: Dropper, Cross-Platform RATs, and BlueNoroff/TA444

**Executive Summary:** The report documents a rapid supply‑chain attack that hijacked an npm maintainer account to publish malicious axios versions and a staged dependency with an obfuscated postinstall dropper (setup.js) that deployed multi‑platform RATs (macOS Mach‑O, Windows in‑memory PowerShell, Linux Python), cleaned up artifacts to evade detection, and beaconed to a single C2 (sfrclak.com:8000 / 142.11.206.73); investigators provide IOCs, MITRE mappings, remediation guidance, and attribute the campaign to TA444/BlueNoroff based on ETag/SSH/subnet overlaps and a NukeSped classification.