Axios NPM Package Supply Chain Compromise Leads to RAT Deployment

A supply‑chain compromise of the Axios npm package (malicious versions observed: [email protected] and [email protected]) executed a hidden dependency via npm postinstall scripts to download and deploy a RAT. LevelBlue detected post‑install execution, abnormal parent‑child process chains (npm/node → cmd.exe/powershell → curl/wget), and outbound C2 traffic; the report supplies SHA256 hashes, C2 IP/domain/URL, hunting queries, and containment/remediation recommendations (isolate/reimage, rotate credentials, disable npm scripts, enforce lockfiles).