North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, steal sensitive data, and maintain access to compromised environments. The actors have created new npm accounts and deployed malicious code across npm, GitHub, and Bitbucket. The expanded campaign includes 11 new packages with over 5,600 downloads, using hexadecimal string encoding to evade detection. The malware targets browser data, macOS keychain, and cryptocurrency wallets. The threat actors are diversifying their tactics, using multiple malware variants and obfuscation techniques to ensure resilience and evade detection.