A FAMOUS CHOLLIMA operator accidentally included a Windows LNK file in multiple malicious npm packages published between May and June 2025. The shortcut metadata points to a VMware-based development setup with a shared host path under \\vmware-host\Shared Folders\VM_Share\Repos_paladin\my_npm\logs-buffer, tying the artifact to package-building activity. The same LNK appeared across packages including logbin-nodejs, vite-plugin-style-svg, vite-plugin-purify, nextjs-insight, and react-babel-purify, all associated with the same payload hash and the next-stage host log-server-lovat.vercel.app. The reuse of payloads, infrastructure, package versions, and dummy pino-derived code suggests a consistent operator workflow within FAMOUS CHOLLIMA's Contagious Interview-related npm activity.