Checkmarx linked a new North Korean threat actor, Moonstone Sleet, to malicious npm packages targeting the open source software supply chain. The activity overlaps with earlier North Korean package campaigns attributed to Jade Sleet but uses a different structure: later packages execute a payload immediately on installation, embed encoded strings, and initially focus on Windows before adding Linux targeting in the second quarter of 2024. The payload downloads a remote file, decrypts it with byte-wise XOR, runs it through rundll32, and then deletes temporary files while replacing the malicious package.json with a clean version. The report ties the npm activity to Microsoft and Phylum observations and warns that North Korean operators continue to use public registries and developer platforms for financial gain and espionage.