Socket uncovered 26 malicious npm packages tied to North Korea’s Contagious Interview activity and assessed the tradecraft as consistent with FAMOUS CHOLLIMA. The packages were typosquats of widely used developer libraries and executed install scripts that loaded an obfuscated vendor/scrypt-js/version.js payload. That loader decoded C2 domains hidden in Pastebin text through character-level steganography, then reached Vercel-hosted infrastructure for platform-specific shell payloads. Follow-on stages installed Node.js where needed, launched a RAT connecting to 103[.]106[.]67[.]63:1244, and deployed nine modules targeting VSCode persistence, clipboard data, browser credentials, SSH keys, Git repositories, and local secrets. The campaign is significant because it weaponized the npm supply chain against developers while using resilient dead-drop and hosting infrastructure to deliver automated post-exploitation tooling.