The North Korean threat actors associated with the Contagious Interview campaign have recently released 67 new malicious packages on the npm registry, highlighting ongoing efforts to compromise the open-source ecosystem through software supply chain attacks.
These packages, as per Socket, have garnered over 17,000 downloads and include a previously undisclosed variant of a malware loader known as XORIndex. This activity is an extension of an attack wave identified last month involving the dissemination of 35 npm packages that utilized another loader known as HexEval.
\”The Contagious Interview operation continues to exhibit a cat-and-mouse dynamic, where defenders detect and report malicious packages, and North Korean threat actors promptly respond by uploading new variants using similar playbooks,\” stated Socket researcher Kirill Boychenko in a blog post.
Contagious Interview is a long-standing campaign that entices developers to download and execute an open-source project under the guise of a coding assignment. Identified in late 2023, the threat group is also known by other aliases such as DeceptiveDevelopment, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
This activity is believed to align with Pyongyang’s remote information technology (IT) worker scheme, targeting developers already employed in companies of interest rather than seeking employment.
The attack chains involving malicious npm packages act as a conduit for a JavaScript loader and stealer known as BeaverTail, used to extract data from web browsers and cryptocurrency wallets, as well as deploy a Python backdoor named InvisibleFerret.
\”The two campaigns are now running concurrently. XORIndex has amassed over 9,000 downloads within a short period (June to July 2025), while HexEval continues to gain traction with over 8,000 additional downloads across the newly identified packages,\” Boychenko explained.
The XORIndex Loader, like HexEval, profiles the compromised system and communicates with hard-coded command-and-control (C2) infrastructure to fetch the external IP address of the host. This information is then sent to a remote server before launching BeaverTail.
Further analysis of these packages has revealed a continuous evolution of the loader, progressing from a basic prototype to a more sophisticated and stealthy malware. Early versions lacked obfuscation and reconnaissance capabilities, while later iterations introduced rudimentary system reconnaissance features.
\”Contagious Interview threat actors will continue to diversify their malware arsenal, rotating through new npm maintainer aliases, reusing loaders like HexEval Loader, malware families such as BeaverTail and InvisibleFerret, and actively deploying newly discovered variants including XORIndex Loader,\” Boychenko added.
This disclosure coincides with Safety’s findings that cybercriminals linked to Russia released 10 npm packages designed to compromise Windows systems with a PowerShell payload fetched from a remote server, leading to the deployment of a data-stealing tool targeting web browsers and potentially launching a cryptocurrency miner.
\”More alarmingly, they have manipulated npm download metrics to inflate their packages’ download numbers, giving an illusion of legitimacy to their malicious code,\” noted security researcher Paul McCarty according to a report.
