Datadog found two npm packages, harthat-hash and harthat-api, published on July 7, 2024 by nagasiren978, that used preinstall scripts to run malicious JavaScript on installation. The packages copied legitimate node-config code but added deference.js and pk.json, with the script creating a Windows batch file that downloaded a payload from 142.111.77.196, renamed it to package.db, and executed it via rundll32. Datadog assessed the TTPs, infrastructure, and Windows-focused payload delivery as closely aligned with Microsoft's DPRK-linked MOONSTONE SLEET cluster, which Datadog tracks as Stressed Pungsan. Analysis of the delivered DLL found exported GenerateKey functions but no observed malicious behavior, leading Datadog to assess it may have been unfinished or used to test C2 and delivery infrastructure.