North Korean hackers have deployed 67 malicious packages on npm, through which a new malware loader called XORIndex was distributed. In total, the packages accounted for over 17,000 downloads.
Experts at Socket, who discovered these packages, suggest that the activity is part of an ongoing malicious campaign called Contagious Interview, targeting developers.
It is also noted that this campaign is a continuation of malicious activity that has been ongoing since April of this year. Last month, the same threat actors introduced 35 packages into npm, which infected developers’ devices with infostealers and backdoors.
The mentioned Contagious Interview campaign has been active since at least December 2022, and the main targets of the attackers are software developers. The hackers make fake job offers, which ultimately result in infecting their systems with malware. The hackers’ goals may vary: from collecting confidential information that allows them to hack companies, to stealing cryptocurrency assets.
Some of the 67 packages uploaded to npm mimicked the names of legitimate projects and libraries, such as:
- vite-meta-plugin;
- vite-postcss-tools;
- vite-logging-tool;
- vite-proc-log;
- pretty-chalk;
- postcss-preloader;
- js-prettier;
- flowframe;
- figwrap;
- midd-js and middy-js.
After installing any of these packages on the victim’s machine, a postinstall script was executed, launching XORIndex — a new tool which appears to be used by attackers in conjunction with the malware loader known as HexEval Loader.
XORIndex collects host data to profile the victim, and then transmits the data to a hardcoded command-and-control server address hosted within Vercel’s infrastructure, a company specializing in cloud application development.
In response, the attackers’ server provides one or more JavaScript payloads, which are executed on the victim’s system using eval(). These payloads are typically the BeaverTail and InvisibleFerret backdoors, which are associated with North Korean hackers and the Contagious Interview campaign.
Ultimately, the malware provides its operators with access to compromised machines, facilitates data exfiltration, and can be used to deliver additional payloads.
According to researchers, North Korean hackers employ both old and new tools with subtle modifications to evade detection, and each time npm removes the malware, they return using new accounts and package names.
“Defenders should expect new iterations of these loaders to appear in fresh packages, often with minor modifications that allow them to evade detection,” researchers warn.
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →