North Korea is escalating its supply chain attacks on the npm ecosystem along with a novel obfuscated loader, the Socket Research Team reported Monday.The “Contagious Interview” campaign spreading BeaverTail malware originally began in April 2025 with four npm packages, and has grown to 67 packages that have been downloaded a total of about 17,000 times.“The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or slightly evolved playbooks,” the Socket researchers wrote.The North Korean threat actor’s hallmark BeaverTail malware serves as an infostealer that scans infected systems for nearly 50 wallet apps, as well as extensions for Chromium and Gecko-based browsers and sensitive keychain, database and .json files.BeaverTail also facilitates download of the InvisibleFerret backdoor to establish persistence. In previous campaigns in April and June 2025, a loader known as HexEval was used to fetch BeaverTail from Vercel-hosted domains.In the latest wave of npm packages, a new loader has emerged called XORIndex, which uses XOR encoding and index-based obfuscation to mask its malicious nature. In July 2025, 39 packages containing HexEval and 17 containing XORIndex were discovered, according to Socket.XORIndex collects system information such as hostname, username, OS type, IP address and geolocation before loading BeaverTail using an eval() call. Socket discovered multiple versions of XORIndex, allowing them to track the evolution of the loader from one that lacked obfuscation and host reconnaissance to the current stealthier and more capable version.The malicious packages spoof popular legitimate packages and utilities with names such as vite-meta-plugin, eth-auditlog, springboot-js and tailwind-base-theme. Socket reported all of the offending packages to npm. While some of the packages remained active when Socket’s blog post was published Monday, all of the packages appeared to be removed as of Tuesday afternoon.“Defenders should expect continued iterations of these loaders across newly published packages, often with slight variations to evade detection. The threat actors’ consistent use of legitimate infrastructure providers like Vercel for C2 lowers operational overhead and may influence similar adoption by other APTs or cybercriminal groups,” the Socket researchers noted.Developers are urged to be proactive about their supply chain defense by being aware of potential threats in the open source ecosystem and scanning code for malicious behavior and dependencies prior to incorporating them into projects.Contagious Interview has also targeted job seekers by posing as recruiters on LinkedIn and convincing applicants to perform “coding assignments” that involve running code with its malicious packages outside containerized environments, Socket previously reported.
DevOps, Threat Intelligence, Malware, Supply chain
67 malicious npm packages, novel loader spread North Korean malware
(Credit: Araki Illustrations – stock.adobe.com)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds