KMSEC found two npm packages published by jaime9008 distributing an obfuscated loader for PylangGhost, a RAT the excerpt says Cisco Talos attributed to FAMOUS CHOLLIMA. Malicious versions of react-refresh-update and @jaime9008/math-service used runtime.js, babel.js, and lib.js as infection points, with a decode, XOR-decrypt, and eval loader chain. The decrypted JavaScript selected payload URLs by operating system, downloaded Windows, macOS, or Linux components from malicanbur[.]pro, and executed scripts or archives to launch the follow-on malware. The report identifies malicanbur[.]pro, 173.211.46[.]22:8080, package versions, a sample hash, and Chrome extension enumeration behavior, showing DPRK-linked tooling moving into npm package distribution.