Attackers posed as job seekers or collaboration partners, typically approaching victims through LinkedIn and sending a seemingly legitimate project that executed malicious code when run. The activity targeted Web3 companies and individuals working with smart contracts, cryptocurrency, and blockchain, using an NPM package with obfuscated JavaScript hidden in a local route module. The first-stage script sent host identifiers and metadata to http://23.106.253.221:1244/keys, then created a .vscode directory, downloaded test.js and package.json from the same server, installed dependencies, and executed the next payload. The downloaded BeaverTail Node.js module stole browser and cryptocurrency-wallet data from extensions such as MetaMask, TronLink, BNB Chain Wallet, Coinbase Wallet, Phantom, and Coin98, uploading data to http://23.106.253.221:1244/uploads. The source does not make its own attribution, but notes that other security research has linked similar tradecraft and malware to North Korean state-sponsored activity.