A five-package npm cluster used Cloudflare Pages and Workers infrastructure to deliver PylangGhost RAT. The packages shared related maintainer names, email patterns, publish timing, and dependency links, leading the source to assess they were likely operated by one actor. The infection chain ran at project runtime, profiled the host with node-env-detector, and only evaluated an encrypted payload when the environment appeared to be a real victim rather than a sandbox. The loader used runtime character-stacking logic to resolve eval and then fetched remote code from keo.pages.dev, reflecting newer evasion tradecraft attributed to FAMOUS CHOLLIMA and linked to Contagious Trader activity.