A major new cyberattack campaign has been uncovered, and this time it’s targeting developers through one of their most trusted tools, npm. Security researchers have found that North Korean hackers are behind a new wave of malicious npm packages, which are being used to infect systems with malware under the radar.
This campaign is part of a broader effort known as the “Contagious Interview” operation. It’s a social engineering scheme where fake recruiters pretend to offer developer jobs. As part of the interview process, targets are sent code samples or test projects. These code samples contain hidden malware that quietly executes when the victim installs or runs them.
According to security teams at Phylum and Socket, this latest wave includes 67 malicious npm packages that have already been downloaded over 17,000 times. What’s most alarming is that many of these packages were still available on npm at the time of discovery, meaning others could continue to unknowingly install them.
The malware used in this attack is a new loader named XORIndex. Once a package containing XORIndex is installed, it collects device data like usernames, IP addresses, geolocation, and machine names. That information is then sent to a command-and-control server controlled by the attackers. After that, XORIndex fetches and executes another malware loader known as BeaverTail.
BeaverTail is where things get really serious. This malware looks for sensitive data, especially related to cryptocurrency wallets and browser extensions. It attempts to steal wallet keys, session tokens, saved passwords, and even clipboard contents. Once it’s done gathering that information, it uploads it all to a remote server.
But the attack doesn’t stop there. BeaverTail then installs another backdoor called InvisibleFerret, which allows the hackers to maintain long-term access to the victim’s device. It’s stealthy and can run commands remotely, steal files, and continue spying silently. Researchers say this is what gives the attackers full control over the infected system.
The campaign seems well-organized and constantly evolving. Earlier this year, North Korean hackers used a similar loader called HexEval, and now they’ve returned with XORIndex and more advanced techniques. Each new package is slightly more advanced than the last, using heavier obfuscation and different delivery methods.
What’s especially dangerous is that these packages don’t raise red flags right away. Some even contain real or functional code, so they can pass as legitimate. This makes them hard to detect unless you’re closely inspecting every line, something most developers don’t have time for when doing test assignments or setting up new projects.
Researchers identified the malicious packages using names like eth-auditlog, cronek, and several others that mimic legitimate libraries or sound convincing to a busy developer. They’ve been uploaded from different npm accounts to avoid getting traced or flagged.
Security teams are urging developers to be extremely cautious, especially when working with code sent by recruiters or unknown collaborators. Always use a sandbox environment or virtual machine to run unfamiliar code. Also, regularly check what packages your project depends on and audit their sources.
This isn’t the first time North Korea has targeted developers through npm. But what makes this attack different is the scale and speed. These packages are being updated and replaced constantly, making it a game of cat and mouse for defenders.
At a time when more companies are relying on open-source software and distributed development teams, attacks like this one remind us that the software supply chain is vulnerable at every level. Even trusted platforms like npm can be abused if we aren’t careful.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
