Malware XORIndex Discovered in 67 npm Packages

📟 News

Date: 18/07/2025

North Korean hackers have deployed 67 malicious packages on npm, through which a new malware loader called XORIndex was distributed. In total, the packages accounted for over 17,000 downloads.

Experts at Socket, who discovered these packages, suggest that the activity is part of an ongoing malicious campaign called Contagious Interview, targeting developers.

It is also noted that this campaign is a continuation of malicious activity that has been ongoing since April of this year. Last month, the same threat actors introduced 35 packages into npm, which infected developers’ devices with infostealers and backdoors.

The mentioned Contagious Interview campaign has been active since at least December 2022, and the main targets of the attackers are software developers. The hackers make fake job offers, which ultimately result in infecting their systems with malware. The hackers’ goals may vary: from collecting confidential information that allows them to hack companies, to stealing cryptocurrency assets.

Some of the 67 packages uploaded to npm mimicked the names of legitimate projects and libraries, such as:

  • vite-meta-plugin;
  • vite-postcss-tools;
  • vite-logging-tool;
  • vite-proc-log;
  • pretty-chalk;
  • postcss-preloader;
  • js-prettier;
  • flowframe;
  • figwrap;
  • midd-js and middy-js.

After installing any of these packages on the victim’s machine, a postinstall script was executed, launching XORIndex — a new tool which appears to be used by attackers in conjunction with the malware loader known as HexEval Loader.

XORIndex collects host data to profile the victim, and then transmits the data to a hardcoded command-and-control server address hosted within Vercel’s infrastructure, a company specializing in cloud application development.

In response, the attackers’ server provides one or more JavaScript payloads, which are executed on the victim’s system using eval(). These payloads are typically the BeaverTail and InvisibleFerret backdoors, which are associated with North Korean hackers and the Contagious Interview campaign.

Ultimately, the malware provides its operators with access to compromised machines, facilitates data exfiltration, and can be used to deliver additional payloads.

According to researchers, North Korean hackers employ both old and new tools with subtle modifications to evade detection, and each time npm removes the malware, they return using new accounts and package names.

“Defenders should expect new iterations of these loaders to appear in fresh packages, often with minor modifications that allow them to evade detection,” researchers warn.

Related posts:
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →