A cluster of malicious npm packages published between April 6 and April 9, 2026 delivered OtterCookie variants, described as a credential-theft and backdoor toolchain attributed to North Korean threat actors. The campaign used a two-layer supply-chain pattern in which benign wrapper packages cloned legitimate libraries such as `big.js` while pulling in malicious dependencies like `bjs-lint-builder`. On install, a `postinstall` hook executed obfuscated loader code that ran targeted theft of Solana wallet keypairs, Rust configuration, environment files, and broader filesystem content, exfiltrating to Vercel-hosted domains including `cloudflarefirewall[.]vercel[.]app` and `cloudflareinsights[.]vercel[.]app`. The malware fetched dynamic scan configuration, uploaded matched files with victim metadata, and on Linux appended a fetched SSH public key to `~/.ssh/authorized_keys` while attempting to open port 22. The report ties the activity to DPRK/FAMOUS CHOLLIMA through shared Contagious Trader infrastructure, package patterns, C2 endpoints, throwaway accounts, and overlapping operational mistakes.