OpenSourceMalware traced the malicious npm package tailwindcss-forms-kit to the DPRK-linked Contagious Interview campaign, where fake recruiters target software engineers in cryptocurrency, Web3, and blockchain roles. The package masqueraded as a Tailwind utility, then fetched heavily obfuscated JavaScript from api.npoint.io and connected to 95.216.37.186:5000 over Socket.IO for registration, file upload, tasking, and command execution. The payload harvested browser passwords, macOS keychains, shell history, cloud credential directories, sensitive files, and cryptocurrency wallet data from browser extensions and desktop wallets. Windows persistence used an HKCU Run key named NvidiaDriverUpdate, giving the operators continued access after the initial social-engineering-driven package execution.