A North Korean npm supply chain campaign used Python post-infection scripts against developers instead of relying only on malicious DLL delivery. The malicious Frontend.zip package retrieved an obfuscated main script that created a .n2 directory, then downloaded a browser stealer and a backdoor payload from actor-controlled infrastructure. The browser module targeted Chrome, Opera, Brave, and Yandex data on Windows, Linux, and macOS, while the payload collected host and geolocation details before connecting to a second C2. Supported commands covered process killing, shell execution, file upload, keylogger retrieval, document collection, AnyDesk installation, and re-fetching the browser stealer.