Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign

The Hacker News by The Hacker News
July 15, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jul 15, 2025Ravie LakshmananMalware / Web Security

The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks.

The packages, per Socket, have attracted more than 17,000 downloads, and incorporate a previously undocumented version of a malware loader codenamed XORIndex. The activity is an expansion of an attack wave spotted last month that involved the distribution of 35 npm packages that deployed another loader referred to as HexEval.

Cybersecurity

“The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or slightly evolved playbooks,” Socket researcher Kirill Boychenko said.

Contagious Interview is the name assigned to a long-running campaign that seeks to entice developers into downloading and executing an open-source project as part of a purported coding assignment. First publicly disclosed in late 2023, the threat cluster is also tracked as DeceptiveDevelopment, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

The activity is believed to be complementary to Pyongyang’s infamous remote information technology (IT) worker scheme, adopting the strategy of targeting developers already employed in companies of interest rather than applying for a job.

The attack chains using malicious npm packages are fairly straightforward in that they serve as a conduit for a known JavaScript loader and stealer called BeaverTail, which is subsequently used to extract data from web browsers and cryptocurrency wallets, as well as deploy a Python backdoor referred to as InvisibleFerret.

“The two campaigns now operate in parallel. XORIndex has accumulated over 9,000 downloads in a short window (June to July 2025), while HexEval continues at a steady pace, with more than 8,000 additional downloads across the newly discovered packages,” Boychenko said.

The XORIndex Loader, like HexEval, profiles the compromised machine and uses endpoints associated with hard-coded command-and-control (C2) infrastructure to obtain the external IP address of the host. The collected information is then beaconed to a remote server, after which BeaverTail is launched.

Cybersecurity

Further analysis of these packages has uncovered a steady evolution of the loader, progressing from a bare-bones prototype to a sophisticated, stealthier malware. Early iterations have been found to lack in obfuscation and reconnaissance capabilities, while keeping their core functionality intact, with second and third-generation versions introducing rudimentary system reconnaissance capabilities.

“Contagious Interview threat actors will continue to diversify their malware portfolio, rotating through new npm maintainer aliases, reusing loaders such as HexEval Loader and malware families like BeaverTail and InvisibleFerret, and actively deploying newly observed variants including XORIndex Loader,” Boychenko said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Global IT spend keeps growing despite trade war concerns

Global IT spend keeps growing despite trade war concerns

Recommended.

Truvista Fiber Contributes More Than 2,000 to Support Local Schools

Truvista Fiber Contributes More Than $112,000 to Support Local Schools

June 2, 2026
Shiji and IPORT Partner to Transform Hotel and Restaurant Operations with All-in-One iOS Mobility Solution

Shiji and IPORT Partner to Transform Hotel and Restaurant Operations with All-in-One iOS Mobility Solution

June 16, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio