Phylum linked new npm publications on 23 April 2024 to a previously reported North Korea-attributed campaign against open-source package ecosystems. The packages react-dom-production-script and hardhat-daemon used a preinstall hook to run deference.js as soon as a developer installed the package. That file was a trojanized and obfuscated version of code from the legitimate node-config package, giving the attackers arbitrary code execution during installation. The activity shows the campaign continuing with small changes in packaging and obfuscation rather than abandoning the npm delivery route.