The npm package express-session-js typosquatted the legitimate express-session middleware and executed malicious code as a side effect of require(), rather than through an install hook. Its dropper retrieved an obfuscated stage-two payload from jsonkeeper[.]com and static deobfuscation showed a full RAT and infostealer configured to use 216[.]126[.]237[.]71 over Socket.IO and related upload channels. The payload supports browser credential theft, crypto wallet extraction, sensitive file collection, screenshots, clipboard monitoring, keylogging, and remote mouse and keyboard control. The report links the package to the DPRK/Lazarus Contagious Interview campaign through the jsonkeeper delivery pattern, Cloudzy-hosted C2 infrastructure, tooling overlap, and the campaign’s broader history of malicious npm packages.