North Korea Allegedly Inundates npm Registry with Malware

In a significant escalation of their cyber operations, North Korean threat actors have uploaded 67 new malicious packages to the npm Registry, a vital platform for JavaScript code-sharing. This action is part of an ongoing campaign known as Contagious Interview, which specifically targets open-source JavaScript developers through the deployment of malware loaders.

This recent wave of attacks is indicative of an expanding adversarial strategy that commenced in April 2025 and intensified in June. Analysts at Socket identified 28 of these newly published packages as utilizing an undocumented loader termed XORIndex, while 39 others employed the older HexEval Loader. Collectively, these malicious packages have recorded over 17,000 downloads, with 27 remaining active on the npm registry at the time of this report.

The npm Registry, governed by npm Inc., a subsidiary of GitHub, stands out as a preeminent JavaScript code-sharing environment, hosting over 2 million packages. Socket’s researchers position this campaign as a continuation of preceding malicious activities. In June, identical North Korean operatives infiltrated the npm ecosystem with 35 malicious packages that facilitated the deployment of information stealers and backdoors on developers’ systems. The current campaign reflects an ongoing advancement in their targeting techniques within the open-source supply chain.

The XORIndex loader exemplifies an evolution in malicious sophistication, employing advanced obfuscation methods such as XOR-encoded strings and index-based obfuscation, thereby making detection substantially more challenging. Upon successful installation, the loader collects critical system telemetry, including the hostname, username, IP address, operating system type, and geolocation, transmitting this data to command-and-control servers embedded within legitimate infrastructural platforms like Vercel.

The loader then activates JavaScript payloads sourced from the C2 (command-and-control) servers, invoking a secondary downloader known as BeaverTail. This component is adept at locating and archiving sensitive information, encompassing browser extension data and cryptocurrency wallet credentials, targeting nearly 50 recognized wallet paths and a multitude of browser profiles. It efficiently exfiltrates this data to hardcoded IP addresses via HTTP POST requests.

The final malicious payload, referred to as InvisibleFerret, serves as a third-stage backdoor. Following data exfiltration, BeaverTail attempts to download and execute additional malicious components from the same C2 server, establishing persistent access and enhanced capabilities across compromised systems.

Analysis of XORIndex reveals its rapid evolution through three developmental iterations. The initial version, known as postcss-preloader, presented basic remote code execution features void of obfuscation or telemetry collection. A subsequent prototype, js-log-print, incorporated limited reconnaissance capabilities but was flawed. The latest variant, dev-filterjs, introduced string obfuscation via ASCII buffers and accurately transmitted host data, laying the groundwork for the current, more advanced iteration of XORIndex.

Maintaining campaign momentum, the adversaries employed familiar tactics, utilizing consistent naming conventions for the malicious packages, such as vite-* and *-log*, and reusing infrastructure from prior campaigns. The threat actors consistently rotated email addresses and npm account aliases to circumvent detection and swiftly replace eliminated packages.

Experts note that the Contagious Interview campaign is characterized by its persistence, evasiveness, and modular structure. By leveraging memory-only execution, JavaScript-based payload delivery, and legitimate cloud infrastructure, threat visibility is reduced, complicating incident response efforts. Analysts anticipate that future iterations will introduce novel loader types, advanced evasion mechanisms, and additional malware families while continuing to exploit open-source ecosystems.