Phylum reports a North Korea-linked open-source supply chain campaign that weaponized npm by publishing call-blockflow, a near-copy of the legitimate call-bind package, on 4 July 2024 before it was quickly unpublished. The attacker changed package.json to run a preinstall script, callTo.js, which only activates on Windows, writes dope.bat and towr.ps1, downloads an XOR-encoded payload from cryptocopedia.com, decodes it into colfunc.csv, renames it to stringh.dat, executes it with rundll32 SetExpVal, restores package.json from mod.json, and deletes the staging files. Phylum connects the package to a broader North Korean developer-targeting campaign that began in September 2023, citing repeated publish and unpublish cycles, self-deleting install scripts, and similar idioms across previous malicious packages. The activity is aimed at software developers and fits the actor's cryptocurrency-theft motive.