ENKI analyzed GitHub repositories operated by an actor posing as a full-stack and blockchain job seeker under accounts including RealToma, mthomas0802, and L34rnT0C0d3. The actor copied legitimate projects and hid malicious scripts in files such as logger.ts and mm.js, causing users who ran the projects to download DLL malware from Catbox or Dropbox and execute it with rundll32. The final backdoor used multiple threads, IOCP-based HTTP POST C2 communications, Base64 and MT19937-based encoding, mutex-based single-instance control, host profiling, process enumeration, keepalive changes, and code-injection preparation. Infrastructure and delivery changed over time, including C2 shifts from 166.88.90[.]143 to 166.88.117[.]246 and a linked Mercury Swap phishing site that could target cryptocurrency wallets. The article places the activity in the broader risk context of job-themed malware delivery, DPRK IT worker deception, Contagious Interview, and Lazarus-linked Operation DreamJob, but the analyzed GitHub activity should not be attributed beyond what the source supports.