VMWare artifacts left by a FAMOUS CHOLLIMA operator

Researcher discovered multiple malicious npm packages (May–June 2025) attributable to DPRK-linked FAMOUS CHOLLIMA that included a Windows LNK file revealing operator telemetry (VMWare usage, shared folder mapped at \\vmware-host\\Shared Folders\\VM_Share\\Repos_paladin\\my_npm\\logs-buffer), a reused payload hash (f290db50ffe64d4fb5fe409d3d1c8eca6f6711e4bbd85a13c9dce055508cc1b3) and consistent next-stage infrastructure (log-server-lovat.vercel.app), indicating a focused supply-chain/campaign with repeatable TTPs.