A malicious npm package named bigmathix impersonated the legitimate big.js library and introduced malicious version 1.0.2 after two benign releases and more than 20 days of dwell time. The package, published by jacksonroman338, used an obfuscated multi-stage Node.js infection chain that launched dist/big.min.js and relied on dynamic variables to hinder immediate deobfuscation. The campaign used GitHub infrastructure, DNS resolution, base64 encoding, SHA-256-derived values, and encryption to conceal the next-stage payload URL. The identified infrastructure included C2 domain aurevian.cloud and attacker-controlled npm packages axios-net, bigmathix, bigmathex, bignumx, and bigmathutils. Although the original analysis withheld attribution, later ReversingLabs evidence tied the activity strongly to FAMOUS CHOLLIMA's Contagious Interview campaign.