Phylum found a malicious npm package, execution-time-async, that copied the legitimate execution-time profiler package but hid obfuscated JavaScript in a test file loaded from index.js. The code stole browser credentials, cryptocurrency extension data, and Solana wallet material, then downloaded Python components that provided remote command execution, file upload and download, browser termination, and additional secret theft. Phylum linked the infrastructure and code paths to suspicious GitHub repositories and noted overlap with Palo Alto Networks Unit 42 reporting on BeaverTail in an ongoing North Korean job-themed campaign against software developers. The activity used fake developer work as the social context while placing the payload in open source dependency code.