FAMOUS CHOLLIMA published seventeen npm packages on 25-26 February 2026 that used Pastebin and custom text steganography as a dead-drop resolver. Each package ran an install script that loaded an obfuscated vendor/scrypt-js/version.js payload, fetched Pastebin text, decoded hidden characters into Vercel C2 hostnames, and then attempted those hosts as fallbacks. The active Vercel deployment ext-checkdin[.]vercel[.]app returned OS-specific payloads from /api/l, /api/m, and /api/w that executed follow-on shell commands on Linux, macOS, and Windows. The technique shows rapid experimentation in DPRK-linked npm staging while giving defenders concrete package names, Pastebin references, Vercel domains, paths, and payload hashes for hunting.