Say hello to Nextron’s RuneAI

This report analyzes a malicious Node.js package found in an artifact-scanning pipeline that installs a weaponized sqlite DLL, extracts an encrypted stage from an appended JPEG, decrypts and loads a Cobalt Strike beacon, and uses Dropbox links for payload staging and command-and-control (C2) with persistence via the Windows Startup folder; the report provides hashes, active Dropbox URLs, a C2 IP (34.203.197.60:443), and a YARA detection to aid remediation.