North Korea-linked activity in AhnLab's May 2026 APT trend report centered on developer and software-supply-chain intrusion paths. Lazarus abused Git hooks and Jenkins CI/CD workflows to trigger InvisibleFerret, BeaverTail, and FCCCall infections aimed at stealing cryptocurrency wallets and developer credentials. Famous Chollima polluted npm and Packagist development branches and used Cloudflare Workers plus blockchain RPC infrastructure for payload delivery, while Kimsuky used LNK phishing, GitHub, Dropbox, GitLab, VSCode tunneling, and Microsoft CDN infrastructure to deliver multi-stage loaders, AsyncRAT variants, PebbleDash-based tools, MoonPeak, and HttpSpy. TA-RedAnt compromised a Yanbian-region game platform and Windows update chain to deploy BirdCall, RokRAT, and a trojanized mono.dll, and also used spear phishing against defense, police, and North Korea-related targets.