The plain-crypto-js npm package version 4.2.1 contains a malicious postinstall script that deploys a cross-platform remote access trojan (RAT). When installed, the script contacts a remote C2 server to deliver second-stage payloads for macOS, Windows, and Linux, then deletes itself and replaces its package.json with a clean decoy to hinder forensic analysis. This package was injected as a hidden dependency into the compromised axios releases 1.14.1 and 0.30.4. Users of plain-crypto-js 4.2.1 or axios 1.14.1 and 0.30.4 are advised to treat affected systems as fully compromised. Axios users should pin to axios@1.14.0 (1.x) or axios@0.29.0 (0.x).