A threat actor published four malicious npm packages delivering credential-stealing malware, a Golang DDoS botnet (Phantom Bot), and a cloned Shai-Hulud worm reconfigured with a new C2 server. The campaign explicitly targets cloud credentials, SSH keys, cryptocurrency wallets, and AI-assisted development tools including Claude Code session hooks. With approximately 3,000 combined downloads and a correlated BreachForums competition incentivizing supply chain attack development, this campaign is assessed as a precursor to broader exploitation.