procwire / deltajohnsons Windows Dropper

Single operator published five coordinated npm packages in a 12-minute burst on 2026-06-16 (14:44:00-14:56:56 UTC) to deliver a Windows binary dropper split across packages. Two fabricated GitHub orgs (akuznetsov-oss, vpetrov-oss, now 404), throwaway maintainer emails under custom domain deltajohnsons.com (one random local-part per package), and two invented author personas (Anton Kuznetsov <[email protected]>, Viktor Petrov <[email protected]>). Weaponized: procwire (dropper) + routecraft (Express typosquat on-Windows trigger). Tooling: bytecraft (XOR helper), endpointmap (metadata-only C2 store), staticlayer (the operator's own payload server side, UA-gated). Assessed NET-NEW operator/cluster (high confidence); not a known actor. The only shared atom with prior KB campaigns is catbox.moe (broadly-abused shared infra, used here for inbound payload staging vs LofyGang outbound exfil) — coincidental, NOT attribution.