A few years ago, I remember reading about some NFT contract attack that did something similar. So I'm sure it's out there now.

It's not a "group specific" technique.

This is smart, but not really unusual.

Almost certainly Lazarus

The phishing email comes across a bit too amateur. Specifically the inclusion of:

"we kindly ask that you complete this update your earliest convenience".

The email was included here: https://cdn.prod.website-files.com/642adcaf364024654c71df23/...

From this article: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com...

Very amateur. Who would fall that, really? I can only suspect npm people who are used to unprofessional repo hosting practices.

Such a Two Factor Authentication update request would have needed a blog post first, to announce such a fishy request.