Phylum found a crypto-themed npm supply-chain campaign after its detector flagged the puma-com package on October 30, 2023, then connected four more packages to the same activity. The Windows-only preinstall script writes and runs batch and PowerShell files, downloads npm.mov from 103.179.142.171, XOR-decrypts it into sql.tmp, renames it to preinstall.db, and executes the DLL through rundll32 with the CalculateSum export. The installer deletes scripts, removes temporary payload names, and restores package.json from pk.json to hide the deployment chain after installation. The source does not attribute the campaign to a named actor, but notes the package names suggest a blockchain or cryptocurrency target set.