North Korean Hackers Exploit 67 Malicious npm Packages to Spread XORIndex Malware

The Socket Threat Research Team has discovered a new software supply chain attack that uses a malware loader called XORIndex that had not been previously reported, marking a major uptick in North Korean cyber operations.

This activity builds on the Contagious Interview campaign previously detailed in June 2025, which involved the HexEval Loader.

The adversaries, attributed to North Korean state-backed actors, infiltrated the npm registry with 67 malicious packages, amassing over 17,000 downloads collectively.

Of these, 27 packages remain active, prompting immediate takedown requests to npm’s security team and account suspensions.

Contagious Interview Campaign

The campaign exhibits a persistent “whack-a-mole” pattern, where detections lead to rapid uploads of new variants using evolved tactics.

Operating in parallel, the XORIndex campaign has garnered more than 9,000 downloads between June and July 2025, while HexEval continues with over 8,000 additional downloads.

These loaders target developers, job ...