Datadog Security Research found three malicious npm packages, passports-js, bcrypts-js, and blockscan-api, carrying obfuscated BeaverTail malware and totaling 323 downloads. The packages used namesquatting or backdoored copies of legitimate JavaScript libraries to target developers, including blockchain-related Node.js users. Deobfuscated samples matched BeaverTail behavior associated with DPRK-linked Contagious Interview activity, including theft from cryptocurrency wallets, browser caches, and login keychains, exfiltration to C2, and logic to retrieve the InvisibleFerret Python backdoor. The samples contacted 95.164.17[.]24 on port 1224 and reused Contagious Interview-style paths such as /uploads, /pdown, and /client/<integer>/<campaign ID>, with campaign IDs including 726 and another previously reported blockchain-focused identifier. Datadog links the activity to a single threat actor it calls Tenacious Pungsan, while noting the second-stage InvisibleFerret payloads were not recovered before the infrastructure was taken down.