At least six distinct malicious package clusters are active in the npm registry simultaneously, with one cluster linked to North Korea’s PolinRider operation and a second confirmed DPRK-nexus campaign compromising the Axios library (approximately 100 million weekly downloads). Attackers are targeting the full developer identity surface — GitHub tokens, SSH keys, Docker credentials, npm tokens, and AI coding assistant configs — using the npm ecosystem as a pivot into production CI/CD pipelines. Three packages impersonating postcss-selector-parser (127 million weekly downloads) remained available at time of publication.