Checkmarx describes a nearly year-long North Korean campaign that publishes malicious npm packages to compromise developers, with a July 2024 surge reported by multiple security firms. The packages are often short lived because the actors unpublish them quickly, erasing registry placeholders that would otherwise help researchers track names. Across samples, the malware keeps a similar flow: check the operating system, download and XOR-decrypt a payload, execute it with rundll32, and clean up traces. Recent packages mimic trusted npm projects by blending copied legitimate code with malicious functionality, while the lure set has shifted from fake job interviews to other development-workflow pretexts.