The report covers additional Contagious Interview activity in which North Korean threat actors expanded BeaverTail distribution beyond npm and GitHub to Bitbucket. Malicious npm packages were used to target software developers, sometimes through fake job-assessment workflows or typosquatting, and some shared C2 infrastructure with Phantom Circuit activity. The BeaverTail payload steals browser data, cryptocurrency wallet extension data, Solana keypair stores, Firefox extension data, macOS keychain material, and browser login databases. It can also download and execute Invisible Ferret, and the report notes evolving evasion through hex-encoded C2 data, staging services, obfuscation, and anti-debugging logic.