Tracking DPRK operator IPs over time

The author details tracking of FAMOUS CHOLLIMA's malicious npm package campaign (Jul 2025–Feb 2026), exposing misuse of insecure temporary-email services that allowed public mailbox access, enumerating attacker-controlled domains/MX records, package names, and a timeline of publishing IPs (including Astrill VPN and TransTeleCom addresses). The piece includes IOCs and hunting recommendations for subscription platforms to block or flag temporary-mail signups and to hunt outbound registration mail to known temp-mail infrastructure.