Phylum observed a coordinated npm supply-chain campaign in which malicious packages were published in pairs that had to run sequentially on the same host. The first package used a preinstall hook to install sync-request, contact an attacker server, and write a token under paths such as ~/.vscode, ~/.cprice, ~/.npm, or ~/.config; the paired package then read that token to fetch and execute the next-stage script. Package pairs used varying names, endpoints, and infrastructure including npmrepos.com, tradingprice.net, npmcloudjs.com, npmjsregister.com, and bi2price.com, suggesting deliberate evasion across repeated deployments. The report is technical infrastructure and infection-chain evidence rather than a definitive attribution claim in the excerpt, so the summary should not label the activity as DPRK beyond links made by other sources.