North Korean Hackers Exploit 67 Malicious npm Packages to Spread XORIndex Malware

The Socket Threat Research Team has discovered a new software supply chain attack that uses a malware loader called XORIndex that had not been previously reported, marking a major uptick in North Korean cyber operations.

This activity builds on the Contagious Interview campaign previously detailed in June 2025, which involved the HexEval Loader.

The adversaries, attributed to North Korean state-backed actors, infiltrated the npm registry with 67 malicious packages, amassing over 17,000 downloads collectively.

Of these, 27 packages remain active, prompting immediate takedown requests to npm’s security team and account suspensions.

Contagious Interview Campaign

The campaign exhibits a persistent “whack-a-mole” pattern, where detections lead to rapid uploads of new variants using evolved tactics.

Operating in parallel, the XORIndex campaign has garnered more than 9,000 downloads between June and July 2025, while HexEval continues with over 8,000 additional downloads.

These loaders target developers, job seekers, and cryptocurrency holders, aiming to exfiltrate sensitive credentials and wallet data through a chain of malware stages.

The XORIndex Loader, named for its XOR-encoded strings and index-based obfuscation, mirrors HexEval in functionality by collecting host metadata such as hostname, username, external IP, geolocation, and platform before decoding and executing follow-on scripts.

It fetches the second-stage BeaverTail malware from hardcoded C2 endpoints, which in turn deploys the third-stage InvisibleFerret backdoor.

BeaverTail scans for nearly 50 wallet directories and browser extension paths, including MetaMask, Phantom, and TronLink, archiving sensitive files like keychains and JSON seed data into a temporary ZIP file for exfiltration to IP-based HTTP servers.

This platform-agnostic malware operates across Windows, macOS, and Linux within the Node.js ecosystem, emphasizing remote code execution via eval() for payload delivery.

The campaign’s timeline reveals waves of deployments from April to July 2025, with 39 new HexEval packages and 28 XORIndex variants in the latest surge.

Technical Analysis of XORIndex

Tracing XORIndex’s development reveals a rapid progression from prototypes to sophisticated loaders.

Early versions, like postcss-preloader, lacked obfuscation and reconnaissance, focusing solely on beaconing to C2 for remote code execution.

Transitional variants, such as js-log-print, introduced buggy host profiling, while dev-filterjs added ASCII buffer-based string obfuscation using TextDecoder.

Mature iterations incorporate XOR decoding, multi-endpoint rotation across Vercel-hosted /api/ipcheck paths, and dual eval() paths for primary and secondary payloads.

Shared infrastructure, including endpoints like https://soc-log[.]vercel[.]app/api/ipcheck and 144[.]217[.]86[.]88, links XORIndex to prior Contagious Interview operations, underscoring the actors’ investment in resilient supply chain attacks.

According to Socket Report, this evolution highlights increasing evasion techniques, such as memory-only execution and modular designs, complicating detection.

Defenders face ongoing threats as actors diversify npm aliases, reuse malware like BeaverTail, and target high-value individuals in DevOps and open-source communities.

Recommendations include real-time scanning tools like Socket’s GitHub App and CLI to intercept malicious dependencies during installation or merges, alongside browser extensions for pre-install risk assessment.

As North Korean operations persist, proactive supply chain defenses are essential to mitigate these financially motivated, state-sponsored intrusions.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.