ReversingLabs found additional malicious npm packages linked to the JumpCloud supply chain incident and cryptocurrency-sector targeting, including btc-api-node and packages impersonating or resembling legitimate crypto-related modules. The packages communicated with npmaudit[.]com, a domain also cited by GitHub as command-and-control infrastructure in a low-volume social engineering campaign against technology employees. The infection chain used npm postinstall execution, Base64-encoded values, weakened TLS certificate verification, local staging directories such as .electron, and a downloaded token file used to signal readiness for a second-stage payload. The report notes that CrowdStrike, SentinelOne, Mandiant, and others linked related activity to North Korean state-sponsored actors, while ReversingLabs described its own evidence as inconclusive but consistent with DPRK interest in cryptocurrency theft. The broader package set and timeline back to May suggest the campaign may have extended beyond JumpCloud’s small set of cryptocurrency-industry customers.