Panther analyzed jsonspack as a DPRK-labeled npm supply-chain campaign involving 27 malicious packages published by eight accounts between March 18 and March 31, 2026, with 3,739 recorded downloads. The packages used developer-tooling names such as Chai plugins, metrics utilities, synchronization tools, and Express middleware, then executed silently when imported via require() rather than through postinstall hooks. Their loaders retrieved obfuscated payloads from multiple C2 delivery channels and evaluated them with Function.constructor, with one decoded channel delivering a 2.8 MB cross-platform Node.js RAT and infostealer. That payload targeted Chromium browser credentials, crypto wallet extensions, .env secrets, full-filesystem files, and clipboard data, exfiltrating to a Vultr VPS at 144.172.110[.]132 over ports 8085, 8086, and 8087. The campaign matters because it shows malicious npm packages evading install-hook scanners while delivering distinct payloads through shared-looking delivery infrastructure.