North Korean Hackers Distribute XORIndex Malware via npm Packages

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 16, 2025 3 min read

North Korean Hackers Target npm Registry with Malicious Packages

North Korean hackers have been actively exploiting the npm registry by uploading 67 malicious packages, which have collectively garnered over 17,000 downloads. This operation is part of a broader campaign referred to as Contagious Interview, aimed at compromising Western technology products through supply chain attacks.

XORIndex Malware
According to cybersecurity researchers at Socket, these packages are designed to deploy a malware loader known as XORIndex, which is intended to evade detection and facilitate further attacks. The XORIndex loader primarily delivers a second-stage malware called BeaverTail, which is linked to a known backdoor called InvisibleFerret. This follows a previous campaign involving the HexEval loader, which is still ongoing and has also been linked to significant download activity.

The research team from Socket noted, "The Socket Threat Research Team has uncovered a new North Korean software supply chain attack involving a previously unreported malware loader we call XORIndex." They also mentioned that the HexEval loader campaign continues to persist, with attackers uploading malicious packages to the npm registry.

Techniques and Evasion Strategies

The XORIndex Loader is characterized by advanced techniques, including string obfuscation and multi-endpoint command-and-control (C2) rotation. These methods allow attackers to collect valuable system data while evading detection. The malicious packages also focus on crypto wallets and browser extensions, further highlighting the targeted nature of these attacks.

A red padlock image against a digital map of the earth in blue.
Cybersecurity researchers have indicated that the real attack vector often occurs outside of npm, primarily through platforms like LinkedIn, Telegram, or Discord. North Korean actors frequently pose as recruiters, enticing software developers to download and execute these malicious npm packages as part of a fake job application process.

The Socket report emphasizes that "Contagious Interview threat actors will continue to diversify their malware portfolio," indicating a persistent threat. As these actors rotate through new npm maintainer aliases and deploy various loaders, the risk to developers and organizations remains significant.

Ongoing Threat Landscape

Despite ongoing takedown efforts, 27 of the malicious packages remain active on the npm registry. The continuous evolution of the malware indicates a robust and adaptable threat landscape, with North Korean hackers employing increasingly sophisticated techniques to maintain their operations.

The use of legitimate services like Vercel for C2 infrastructure lowers operational overhead for these threat actors while complicating detection efforts for defenders. The report warns that expected iterations of these loaders across newly published packages will likely feature slight variations designed to evade detection.

For organizations and developers, the need for proactive supply chain defenses is more critical than ever, as these attacks can lead to severe data breaches and financial losses.

As the threat landscape evolves, staying informed and vigilant is essential. For additional insights and updates on malware analysis and cybersecurity strategies, consider exploring our services at undefined.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article