DPRK tests Google Drive as a malware stager

A researcher observed a malicious npm package, `express-core-validator` (v1.0.1) attributed to FAMOUS CHOLLIMA that uses a novel staging technique: fetching and executing a JavaScript payload from Google Drive (file ID 16AaeeVhqj4Q6FlJIDMgdWASJvq7w00Yc). The post includes the full `core.js` loader, the SHA-256 of the retrieved payload (`2a7e7b76a3e8070410adce9b6a2b9cf112687922792c91be563c20fbf6a4a82f`), a mirrored copy in a GitHub repository, and hunting guidance (look for node processes resolving drive.google.com and other consumer storage providers).