Veracode identified twelve malicious npm packages tied to a persistent North Korean crypto-stealing campaign that targets developers through interview-style exercises. The packages used typosquatting and cloned legitimate-looking content, then executed obfuscated JavaScript from postinstall hooks, hidden node_modules paths, license files, or test-time execution paths. Deobfuscated payloads showed Beavertail variants with cross-platform support for system profiling, crypto wallet and browser-extension theft, sensitive-file exfiltration, second-stage downloads, Python execution, shell-command handling, and sandbox evasion. The activity reused port 1224, C2 infrastructure, encryption material, and code patterns across packages, while also showing possible overlap or competition from another actor through a bolted-on npoint.io configuration. The campaign matters because it combines software-supply-chain abuse with DPRK-linked job-interview lures to steal cryptocurrency and developer secrets that could enable broader corporate access.