Checkmarx reported a Lazarus/Jade Sleet/TraderTraitor campaign targeting blockchain, cryptocurrency, and online gambling organizations through malicious npm package dependencies. The attackers used fake developer and recruiter personas on platforms such as LinkedIn, Slack, Telegram, and GitHub to persuade targets to collaborate on repositories containing paired malicious packages. The first package created a hidden .svnlook directory and fetched update data from cryptopriceoffer.com, while the second read the token, requested a follow-on payload, wrote it to disk, and executed it with Node.js; both disabled TLS certificate verification. The report frames this as a nation-state open-source supply-chain intrusion and notes the actor refined package synchronization and encoding over time to reduce detection.