kmsec.uk reports that Contagious Trader targets cryptocurrency users through malicious GitHub trading bot repositories and npm packages themed around Polymarket, Kalshi, Solana, Raydium, copy trading, and related market activity. The author attributes the campaign to North Korea/Lazarus operations with high confidence, while avoiding assignment to a specific subgroup, based on overlaps with Contagious Interview tradecraft, GitHub and npm abuse, Vercel infrastructure, Base64-encoded endpoints, temporary email use, Astrill VPN publish sources, and package masquerading. Infection paths include direct HTTP/S exfiltration, MongoDB exfiltration, malicious npm dependencies, transitive dependency chains, file theft, and Linux SSH backdoor behavior through authorized_keys modification and ufw changes. The report lists repositories, npm packages, operator publish evidence, domains, IP addresses, Vercel endpoints, and MongoDB hosts that defenders can use to hunt poisoned trading bot projects and dependency-chain compromise.