OpenSourceMalware shows how malicious packages and repositories abuse legitimate developer automation so payloads can run during `npm install` or when a repository is opened in VS Code. The DPRK-relevant section notes Lazarus-linked Contagious Interview activity using `.vscode/tasks.json` with `runOn: folderOpen` to trigger code execution against developer targets. Fake Font hid hex-encoded JavaScript in a `.woff2` file that decoded and launched BeaverTail before ultimately deploying InvisibleFerret, while TasksJacker scaled the same repository task-abuse technique. The finding matters because it treats developer workstations, package lifecycle hooks, and IDE automation as initial-access surfaces even when the malicious code is never imported by an application.