How the Attack Works1. Only change in axios@1.14.1 — one line added to package.json"dependencies": {"follow-redirects": "^1.15.11","form-data": "^4.0.5","proxy-from-env": "^2.1.0",+ "plain-crypto-js": "^4.2.1"npm resolves dependency2. npm installs plain-crypto-js — its postinstall hook runs automatically// plain-crypto-js/package.json"postinstall": "node setup.js"triggers dropper3. setup.js deobfuscates strings, detects OS, contacts C2→ hxxp://sfrclak[.]com:8000/6202033macOScom.apple.act.mondWindowswt.exe → hidden PowerShellLinux/tmp/ld.py4. Self-destruct — delete setup.js, swap in clean package.jsonnode_modules/plain-crypto-js/ now looks clean — no trace