An investigation into the Mentonex GitHub organization found an active npm backdoor chain, fake developer personas, and facilitator-recruitment activity that the author says maps closely to documented DPRK tradecraft. The malicious chain used logkitx, logger-base, and dev-log-core packages published by the same npm account, with dev-log-core fetching base64-encoded code from Vercel-hosted endpoints and executing it dynamically through new Function(). The payload could access the filesystem, network, and child processes, while infrastructure rotated from ngrok-free.vercel.app to logkit.vercel.app and logkit-tau.vercel.app as the package versions evolved. The report also links the npm infrastructure and persona clusters to patterns seen in North Korea-linked developer-targeting activity, including fake organizations, cloned projects, stock or AI-generated identities, and remote-work facilitator recruitment.