Panther Threat Research tracked a DPRK-linked npm supply-chain campaign that published 108 malicious packages and 261 versions between March 20 and April 20, 2026. The activity is attributed with high confidence to Famous Chollima / DeceptiveDevelopment based on BeaverTail-consistent behavior, OtterCookie delivery and C2 traits, and overlap with previously documented DPRK npm activity. The packages targeted developer and CI environments, stealing cloud credentials, wallet keys, SSH keys, browser credentials, Telegram sessions, .npmrc tokens, .env secrets, and Solana/Polymarket-related material. The campaign used multiple operational clusters, including OtterCookie-like loaders, BeaverTail port-1244 delivery, dead-drop infrastructure such as jsonkeeper.com and api.npoint.io, attacker IPs, require-time execution, blockchain dead-drops, and authorized_keys persistence. The scale and rotation of package names, payload endpoints, and infrastructure make this more than isolated package abuse and require campaign-level hunting across behavior and infrastructure.