- North Korean threat actors posted 67 malicious npm packages, expanding ongoing software supply chain attacks.
- The new Malware loader “XORIndex” and existing “HexEval” loader targeted developers, leading to over 17,000 combined downloads.
- The campaign, called “Contagious Interview,” lures developers with fake coding assignments using open-source projects.
- The loaders deploy info-stealing malware, including “BeaverTail” and “InvisibleFerret,” to steal browser and cryptocurrency data.
- The attackers are evolving their methods, frequently changing npm accounts and updating their malware for better stealth.
North Korean cyber actors linked to the “Contagious Interview” campaign released 67 new malicious packages on the npm registry. Security firm Socket identified the activity in June and July 2025, as attackers continue to target the open-source software supply chain.
The reported malware packages have already collected more than 17,000 downloads. These packages use a new malware loader called XORIndex, as well as an older loader known as HexEval. “The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants,” said researcher Kirill Boychenko at Socket in a blog post.
The campaign, dating back to late 2023, tricks developers into downloading malicious open-source packages by pretending they are part of a coding assignment. The group, also called DeceptiveDevelopment, Famous Chollima, and UNC5342, targets existing employees at organizations of interest. Researchers believe this effort supports North Korea’s strategy of gaining access to sensitive company data.
The attack chain is direct: malicious npm packages act as delivery channels for the “BeaverTail” JavaScript loader, designed to steal information from web browsers and cryptocurrency wallets. This malware can also install a secondary backdoor, known as “InvisibleFerret.” Boychenko noted, “The two campaigns now operate in parallel. XORIndex has accumulated over 9,000 downloads in a short window (June to July 2025), while HexEval continues at a steady pace, with more than 8,000 additional downloads.”
Both XORIndex and HexEval profile infected machines using hard-coded command-and-control servers before sending information remotely and launching BeaverTail. Analyses show the malware has become more sophisticated, with newer versions adding system profiling features and improved stealth.
Researchers expect these threat actors to continue shifting their tactics, rotating npm maintainer aliases and evolving their malware families to bypass detection and reach more victims.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Dogecoin Eyes $0.25 as $1,000 Investment Could Hit $3,434 by 2030
- Elmo’s X Account Hacked, Used for Antisemitic, Racist Posts
- Morgan Stanley Downgrades CrowdStrike as Stock Hits Resistance
- MicroStrategy Dilutes All Share Classes to Buy More Bitcoin
- Coinbase Sues Oregon Over Crypto Records, Cites Policy Flip-Flop
