North Korea-linked actors spread XORIndex malware via 67 malicious npm packages
North Korea-linked actors spread XORIndex malware via 67 malicious npm packages
July 15, 2025
North Korea-linked hackers uploaded 67 malicious npm packages with XORIndex malware, hitting 17K+ downloads in ongoing supply chain attacks.
North Korea-linked threat actors behind the Contagious Interview campaign have uploaded 67 malicious npm packages with XORIndex malware loader, hitting over 17,000 downloads in ongoing supply chain attacks.
XORIndex was built to evade detection and deploy BeaverTail, a second-stage malware tied to the known backdoor InvisibleFerret. This follows the earlier HexEval loader campaign, still ongoing with over 8,000 downloads. Despite takedown efforts, 27 packages remain live. These nation-state actors continue to target developers and individuals via persistent npm-based attacks.
“The Socket Threat Research Team has uncovered a new North Korean software supply chain attack involving a previously unreported malware loader we call XORIndex. This activity is an expansion of the campaign we reported in June 2025, which deployed the HexEval Loader.” read the report published by cybersecurity firm Socket. “The HexEval Loader campaign shows no signs of slowing down, as the threat actors continue uploading malicious packages to the npm registry.”
The XORIndex Loader campaign by North Korean threat actors planted 28 malicious npm packages using advanced techniques like string obfuscation, multi-endpoint C2 rotation, and host profiling. These packages allow attackers to collect system data and deliver BeaverTail malware, which focuses on crypto wallets and browser extensions, later downloading the InvisibleFerret backdoor.
“The second-stage malware delivered by the XORIndex Loader via the eth-auditlog package is BeaverTail — the hallmark payload of the North Korean Contagious Interview operations. It scans for dozens of known desktop wallet directories and browser extension paths, archives the collected data, and exfiltrates it to a hardcoded IP-based HTTP endpoint.” continues the report. “Several string constants in the code match wallet and extension identifiers previously attributed to BeaverTail. BeaverTail downloads additional payloads, such as the InvisibleFerret backdoor, using filenames like p.zi or p2.zip.”
This marks a clear evolution from earlier, simpler loaders. Despite takedown efforts, attackers persist by using legitimate services like Vercel, making supply chain defenses critical for developers and organizations.
“Contagious Interview threat actors will continue to diversify their malware portfolio, rotating through new npm maintainer aliases, reusing loaders such as HexEval Loader and malware families like BeaverTail and InvisibleFerret, and actively deploying newly observed variants including XORIndex Loader.” concludes the report. “Defenders should expect continued iterations of these loaders across newly published packages, often with slight variations to evade detection. The threat actors’ consistent use of legitimate infrastructure providers like Vercel for C2 lowers operational overhead and may influence similar adoption by other APTs or cybercriminal groups. Evasive methods such as memory-only execution and obfuscation will likely increase, complicating detection and incident response.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, XORIndex malware)
