BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

North Korean XORIndex Malware Targets npm Registry in New Attack

  • North Korean threat actors posted 67 malicious npm packages, expanding ongoing software supply chain attacks.
  • The new Malware loader “XORIndex” and existing “HexEval” loader targeted developers, leading to over 17,000 combined downloads.
  • The campaign, called “Contagious Interview,” lures developers with fake coding assignments using open-source projects.
  • The loaders deploy info-stealing malware, including “BeaverTail” and “InvisibleFerret,” to steal browser and cryptocurrency data.
  • The attackers are evolving their methods, frequently changing npm accounts and updating their malware for better stealth.

North Korean cyber actors linked to the “Contagious Interview” campaign released 67 new malicious packages on the npm registry. Security firm Socket identified the activity in June and July 2025, as attackers continue to target the open-source software supply chain.

- Advertisement -

The reported malware packages have already collected more than 17,000 downloads. These packages use a new malware loader called XORIndex, as well as an older loader known as HexEval. “The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants,” said researcher Kirill Boychenko at Socket in a blog post.

The campaign, dating back to late 2023, tricks developers into downloading malicious open-source packages by pretending they are part of a coding assignment. The group, also called DeceptiveDevelopment, Famous Chollima, and UNC5342, targets existing employees at organizations of interest. Researchers believe this effort supports North Korea’s strategy of gaining access to sensitive company data.

The attack chain is direct: malicious npm packages act as delivery channels for the “BeaverTail” JavaScript loader, designed to steal information from web browsers and cryptocurrency wallets. This malware can also install a secondary backdoor, known as “InvisibleFerret.” Boychenko noted, “The two campaigns now operate in parallel. XORIndex has accumulated over 9,000 downloads in a short window (June to July 2025), while HexEval continues at a steady pace, with more than 8,000 additional downloads.”

Both XORIndex and HexEval profile infected machines using hard-coded command-and-control servers before sending information remotely and launching BeaverTail. Analyses show the malware has become more sophisticated, with newer versions adding system profiling features and improved stealth.

- Advertisement -

Researchers expect these threat actors to continue shifting their tactics, rotating npm maintainer aliases and evolving their malware families to bypass detection and reach more victims.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

SK Hynix ADR gains vanish in under a day

SK Hynix's ADRs rose 12.7% on Nasdaq debut Friday but the entire gain was...

Binance futures hit 2026 high as spot market lags

Binance recorded $1.6 trillion in futures trading volume in June, its highest level of...

CISA adds two critical Joomla extension flaws to KEV list

U.S. CISA added two maximum-severity Joomla extension flaws to its Known Exploited Vulnerabilities (KEV)...

Russia, India push de-dollarization to hit $100 billion trade target

Russia and India are accelerating a bilateral trade deal to reach a $100 billion...

AI freelancers could drive $262B in stablecoin payments by 2033

Swyftx projects that $262 billion of the AI-native gig economy's payment volume could be...

Must Read

Top 8 Best Anonymous Web Hosting Companies That Accept Crypto

Nowadays, there is plenty of information about people online, and malicious people use them to carry out inappropriate activities. If you want to keep...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading