North Korean threat actors linked to the infectious interview campaign have published another set of 67 malicious packages in the NPM registry, highlighting their ongoing attempts to poison the open source ecosystem via software supply chain attacks.
The per-socket package attracts over 17,000 downloads and incorporates Xorindex, a previously undocumented version of the malware loader codename. This activity is an extension of the attack wave discovered last month, and includes a distribution of 35 npm packages deployed another loader called Hexebal.
“The infectious interview operations follow the mall dynamics where defenders detect and report malicious packages. North Korean threat actors respond quickly by uploading new variants using the same, similar or slightly evolved playbook.”
The contagious interview is the name assigned to a long-standing campaign that attempts to seduce developers as part of a coding assignment aimed at downloading and running open source projects. First published in late 2023, this threat cluster is also being tracked as a fake development, the famous Cholima, Gwishin gang, tenacious Punsan, UNC5342, and void dokkaebi.
The activity is considered to complement Pyongyang’s infamous Remote Information Technology (IT) worker scheme, employing a strategy that targets developers already employed by interested companies rather than applying for a job.
Attack chaining using malicious NPM packages is fairly simple in that it acts as a conduit for known JavaScript Loader and Stealer known as Beavertail. It is used to extract data from web browsers and cryptocurrency wallets and to deploy a Python backdoor called Invisibleferret.
“The two campaigns are currently operating in parallel. Xorindex has accumulated over 9,000 downloads in short windows (June to July 2025), while Hexebal continues at a steady pace, with over 8,000 additional downloads across the newly discovered package,” says Boychenko.
The Xorindex loader, like Hexeval, profiles compromised machines and uses endpoints associated with hard-coded command and control (C2) infrastructure to obtain the host’s external IP address. The collected information becomes a beacon on the remote server, and then Beavertail is launched.
Further analysis of these packages revealed a stable evolution of the loader, moving from a naked bone prototype to sophisticated stealth malware. The early iterations have been found to lack obfuscation and reconnaissance capabilities, but they keep core functionality intact, with second and third generation versions introducing rudimentary systems reconnaissance capabilities.
“The threat actors of contagious interviews will continue to diversify their malware portfolio, spinning through new NPM maintainer alias, reusing loaders such as malware families such as Hexe Bar Loader and Beaverwelter, and actively deploying newly observed variations such as Xorindex loaders,” Boychenko said.
Source link
