npm install
axios
1.14.1 or 0.30.4
dependency
postinstall
plain-crypto-js
Typosquat of crypto-js
Runs
setup.js
downloads
second stage
• macOS: Mach-O binary
• Windows: PowerShell
• Linux: Python script
beacons to
C2 server
sfrclak[.]com
142.11.206.73:8000
Base64 JSON over HTTP
Datadog Security Labs