Veracode describes a renewed North Korean npm malware campaign that targets developers with malicious packages disguised as logging, validation, React, or utility libraries. The packages appear designed for social-engineering workflows in which a target runs a private interview, pair-coding, or code-review project that silently pulls the malicious dependency from npm. Veracode observed nested import chains hiding executable JavaScript in files such as regEx.ico, plus hex-encoded strings and small modifications to popular-looking libraries. The malware searches browser profiles and cryptocurrency wallet data, including Solana id.json files, establishes persistence, downloads additional payloads, and exfiltrates stolen data to attacker-controlled endpoints; Socket independently attributed the package set to Lazarus Group.