GMS-2026-69: Embedded Malicious Code deploying cross-platform remote access trojan

The npm package plain-crypto-js version 4.2.1 is a malicious package published as part of the axios supply chain attack on March 31, 2026. It was injected as a hidden dependency into compromised axios versions (1.14.1 and 0.30.4). The package is never imported in axios source code and exists solely to execute a malicious postinstall script that contacts a C2 server at sfrclak[.]com and downloads a platform-specific RAT payload. On macOS it drops /Library/Caches/com.apple.act.mond, on Windows %PROGRAMDATA%\wt.exe, and on Linux /tmp/ld.py. After execution, the dropper deletes itself and replaces its package.json with a clean stub to hinder forensic analysis. Version 4.2.0 was a clean decoy used to establish publishing history.