Four public GitHub repositories contained the same obfuscated stage-0 JavaScript loader appended after otherwise legitimate framework or build-tool configuration exports. The loader family is aligned with publicly reported XCTDH and DEV#POPPER activity, with reporting cited in the excerpt linking the broader campaign to DPRK-linked or North Korean state-sponsored operations. The samples abuse executable configuration files such as next.config.js, vue.config.js, truffle.js, and nwb.config.js, so normal build, test, or development commands can trigger the malicious code. Public reporting says the loader uses TRON or Aptos to retrieve payload pointers, BSC transaction input for encrypted payload data, XOR decryption, inline execution, and a detached background payload. The report also highlights commit-date spoofing, warning that a 2019 Git timestamp is not reliable evidence of benign age because the loader references infrastructure that could not predate Aptos mainnet.