North Korean Hackers Unleash Malicious NPM Mayhem: 67 Packages, 17K Downloads, and Counting!

North Korea-linked hackers have packaged more malware than a suspiciously generous gift basket. Utilizing 67 malicious npm packages loaded with XORIndex malware, they’ve hit over 17,000 downloads. This cunning supply chain attack is like a bad sequel, and the hackers are already working on their next hit with InvisibleFerret and BeaverTail malware.

3P
Published: July 15, 2025 10:56 amAdded: July 15, 2025 at 4:05 amAssembled by: The Editor
Pro Dashboard

Hot Take:

North Korean hackers are back at it again, this time making sure your npm packages come with a side of malware. Who knew “package management” could be this exhilarating? It’s like unboxing a surprise, except the surprise is a digital hand grenade trying to steal your crypto wallets. North Korea: putting the ‘fun’ in ‘functionally ruin your day’ since forever.

Key Points:

  • North Korean hackers uploaded 67 malicious npm packages containing XORIndex malware.
  • These packages have surpassed 17,000 downloads, indicating a widespread impact.
  • XORIndex is designed to deploy BeaverTail and InvisibleFerret malware.
  • Despite takedown efforts, 27 packages remain active.
  • The strategy includes using legitimate services like Vercel to evade detection.

Need to know more?

A Nefarious Plot Unfolds

In a plot twist worthy of a cyber spy thriller, North Korean cyber actors have been busy uploading 67 malicious npm packages laden with XORIndex malware. This isn’t their debut performance either; these packages have already hit over 17,000 downloads. Talk about going viral for all the wrong reasons! The XORIndex malware is designed with the cunning of a digital Houdini, evading detection to deploy the equally charming BeaverTail malware, known for its penchant for crypto wallets and browser extensions. Think of it as a high-stakes game of “Finders Keepers,” except they’re the finders, and you’re definitely the losers.

HexEval and XORIndex: Partners in Crime

The XORIndex campaign is the latest chapter in the Contagious Interview series, which previously featured the HexEval loader. While HexEval is still playing the hits with over 8,000 downloads, XORIndex is the hot new act on the malware scene. These hackers are like the rockstars of cybercrime, constantly reinventing their setlist to keep the crowd on their toes. They’ve even gone for advanced techniques like string obfuscation and multi-endpoint C2 rotation, which, in layman’s terms, means they’re really good at dodging the bouncers.

BeaverTail: The Malware Mascot

BeaverTail isn’t just a catchy name; it’s the second-stage malware delivered by XORIndex, known for its ability to sniff out crypto wallets and browser extensions like a truffle pig with a nose for Bitcoin. It doesn’t stop there; it also downloads the InvisibleFerret backdoor, a tool as sneaky as its name suggests. This digital ferret is all about infiltration, using filenames like “p.zi” and “p2.zip” to blend in with the crowd. It’s like a digital ninja, only it won’t save the day—just ruin it.

The Persistence of Malicious Memory

Despite takedown efforts, a stubborn 27 packages remain live, proving that these hackers are nothing if not persistent. They’ve taken a page out of the “if at first you don’t succeed, try, try again” playbook, making them the digital equivalent of that one mosquito you just can’t swat. By using legitimate services like Vercel, they’re lowering their operational overhead and making it harder for defenders to keep up. It’s like trying to catch water with a sieve—good luck with that!

Evolution of a Threat

As if things weren’t complicated enough, the Contagious Interview threat actors are diversifying their malware portfolio faster than a Silicon Valley startup. They’re rotating through new npm maintainer aliases, reusing old tricks like HexEval Loader, and introducing new ones like XORIndex Loader. It’s a malware buffet, and they’re serving up a little bit of everything. Their consistent use of legitimate infrastructure means they’re not just playing the game—they’re changing it. And with evasive methods like memory-only execution, they’re making detection and incident response feel like trying to catch a ghost in a fog.

So there you have it, folks. The next time you’re downloading npm packages, remember: it might come with a little something extra. Consider it the digital equivalent of a Cracker Jack box, only this prize might just steal your crypto wallet. Stay safe out there!

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?