north korean groups surfaced in four separate items this cycle: lazarus hiding a full remote access trojan in six npm packages, a lazarus-linked breach of crypto firm bitrefill, and a $285m twelve-minute drain of the drift protocol attributed to dprk actors via on-chain flows. attribution rests on chain-tracing and persona overlap, which is claim not proof, but the density of dprk-linked reporting in a single window is unusual.