Socket found a malicious npm package, postcss-optimizer, that impersonated the legitimate postcss library and contained BeaverTail malware linked to North Korean Contagious Interview activity within the broader Lazarus ecosystem. The package targeted developers by collecting host and platform details, searching home directories for credentials, browser data, and cryptocurrency wallets, and sending stolen data to a hardcoded C2 server. It also fetched a Python-based follow-on payload, likely related to InvisibleFerret, giving the operator persistence, data theft, and longer-term access across Windows, macOS, and Linux systems.