North Korean hackers have deployed 67 malicious packages on npm, through which a new malware loader called XORIndex was distributed. In total, the packages accounted for over 17,000 downloads.
Experts at Socket, who discovered these packages, suggest that the activity is part of an ongoing malicious campaign called Contagious Interview, targeting developers.
It is also noted that this campaign is a continuation of malicious activity that has been ongoing since April of this year. Last month, the same threat actors introduced 35 packages into npm, which infected developers’ devices with infostealers and backdoors.
The mentioned Contagious Interview campaign has been active since at least December 2022, and the main targets of the attackers are software developers. The hackers make fake job offers, which ultimately result in infecting their systems with malware. The hackers’ goals may vary: from collecting confidential information that allows them to hack companies, to stealing cryptocurrency assets.
Some of the 67 packages uploaded to npm mimicked the names of legitimate projects and libraries, such as:
- vite-meta-plugin;
- vite-postcss-tools;
- vite-logging-tool;
- vite-proc-log;
- pretty-chalk;
- postcss-preloader;
- js-prettier;
- flowframe;
- figwrap;
- midd-js and middy-js.
After installing any of these packages on the victim’s machine, a postinstall script was executed, launching XORIndex — a new tool which appears to be used by attackers in conjunction with the malware loader known as HexEval Loader.
XORIndex collects host data to profile the victim, and then transmits the data to a hardcoded command-and-control server address hosted within Vercel’s infrastructure, a company specializing in cloud application development.
In response, the attackers’ server provides one or more JavaScript payloads, which are executed on the victim’s system using eval(). These payloads are typically the BeaverTail and InvisibleFerret backdoors, which are associated with North Korean hackers and the Contagious Interview campaign.
Ultimately, the malware provides its operators with access to compromised machines, facilitates data exfiltration, and can be used to deliver additional payloads.
According to researchers, North Korean hackers employ both old and new tools with subtle modifications to evade detection, and each time npm removes the malware, they return using new accounts and package names.
“Defenders should expect new iterations of these loaders to appear in fresh packages, often with minor modifications that allow them to evade detection,” researchers warn.
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →