A second threat actor leveraged the leaked Shai-Hulud infostealer toolkit to publish four malicious npm packages typosquatting the widely used Axios HTTP library. Any Node.js development or CI/CD environment that installed chalk-tempalte, @deadcode09284814/axios-util, axois-utils, or color-style-utils may have exposed AWS, GCP, and Azure cloud credentials alongside cryptocurrency wallet data. The campaign also includes a DDoS botnet recruitment module, meaning affected systems may be actively participating in attacks.