Article Details

North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign. The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks. The packages, per Socket, have attracted more than 17,000 downloads, and incorporate a previously undocumented version of a malware loader codenamed XORIndex. The activity is an expansion of an attack wave spotted last month that involved the distribution of 35 npm packages that deployed another loader referred to as HexEval. "The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or slightly evolved playbooks," Socket researcher Kirill Boychenko said. Contagious Interview is the name assigned to a long-running campaign that seeks to entice developers into downloading and executing an open-source project as part of a purported coding assignment. First publicly disclosed in late 2023, the threat cluster is also tracked as DeceptiveDevelopment, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi. The activity is believed to be complementary to Pyongyang's infamous remote information technology (IT) worker scheme, adopting the strategy of targeting developers already employed in companies of interest rather than applying for a job. The attack chains using malicious npm packages are fairly straightforward in that they serve as a conduit for a known JavaScript loader and stealer called BeaverTail, which is subsequently used to extract data from web browsers and cryptocurrency wallets, as well as deploy a Python backdoor referred to as InvisibleFerret. "The two campaigns now operate in parallel. XORIndex has accumulated over 9,000 downloads in a short window (June to July 2025), while HexEval continues at a steady pace, with more than 8,000 additional downloads across the newly discovered packages," Boychenko said. The XORIndex Loader, like HexEval, profiles the compromised machine and uses endpoints associated with hard-coded command-and-control (C2) infrastructure to obtain the external IP address of the host. The collected information is then beaconed to a remote server, after which BeaverTail is launched. Further analysis of these packages has uncovered a steady evolution of the loader, progressing from a bare-bones prototype to a sophisticated, stealthier malware. Early iterations have been found to lack in obfuscation and reconnaissance capabilities, while keeping their core functionality intact, with second and third-generation versions introducing rudimentary system reconnaissance capabilities. "Contagious Interview threat actors will continue to diversify their malware portfolio, rotating through new npm maintainer aliases, reusing loaders such as HexEval Loader and malware families like BeaverTail and InvisibleFerret, and actively deploying newly observed variants including XORIndex Loader," Boychenko said.