North Korean state-sponsored threat actors have significantly expanded the scope of the notorious “Contagious Interview” campaign with the deployment of a sophisticated new malware loader known as XORIndex, according to recent findings from security researchers at Socket.
This ongoing software supply chain attack, which primarily targets software developers, cryptocurrency users, and other high-value individuals, demonstrates escalating capabilities and an aggressive pace of evolution. The campaign’s latest phase delivers advanced multi-stage malware designed to steal sensitive information, establish persistent backdoors, and compromise cryptocurrency assets.
A Closer Look at the Campaign
The “Contagious Interview” campaign leverages a combination of social engineering tactics and malicious open-source packages to infiltrate victims’ systems. Operatives posing as tech recruiters initiate conversations on platforms such as LinkedIn and GitHub, often offering enticing job opportunities. These seemingly legitimate engagements involve convincing victims to download npm packages that contain hidden malicious payloads posing as coding challenges or developer tools.
Once executed, the malware collects detailed host information and downloads next-stage components for deeper system infiltration.
Introduction of XORIndex: A Sophisticated Malware Loader
Researchers at Socket have identified XORIndex as a newly deployed malware loader embedded in at least 67 malicious npm packages that have collectively been downloaded over 9,000 times in the past month alone.
Key Capabilities of XORIndex:
- Host Profiling: Gathers system-level data for victim profiling and targeting.
- Payload Deployment: Downloads second-stage malware, namely BeaverTail, an info-stealer, and InvisibleFerret, a remote access trojan with persistent backdoor functionality.
- Cryptocurrency Theft: Targets browser extensions and wallets to silently exfiltrate digital assets.
- Anti-analysis techniques: Uses obfuscation tactics to bypass traditional antivirus detection.
These packages often bear names similar to legitimate libraries—such as vite-meta-plugin or js-prettier—to increase credibility and attract unsuspecting developers.
Malware Ecosystem: A Multi-Stage Chain of Compromise
The broader attack ecosystem deployed by these threat actors now includes several custom malware components functioning in a multi-stage infection process:
| Malware Component | Description | Purpose |
|---|---|---|
| HexEval | Initial stage loader used in early waves | Delivers BeaverTail payload |
| XORIndex | New and more robust loader | Delivers BeaverTail and InvisibleFerret |
| BeaverTail | Info-stealer | Extracts browser data, credentials, and cryptocurrency |
| InvisibleFerret | Remote access backdoor | Establishes persistence and enables prolonged surveillance |
| Keylogger (optional) | Keystroke logger | Captures typed credentials in real-time |
Socket researchers observed that attackers quickly pivoted from the use of older loaders like HexEval, which remains active in many npm packages (e.g., react-plaid-sdk, vite-plugin-next-refresh), to the newer XORIndex—likely in response to increasing detection.
Threat Scope and Ongoing Risk
In total, more than 17,000 malicious downloads have been recorded from 67 npm packages, many of which remain available in the public repository as of July 2025. Notably, the attackers maintain a rapid pace of deployment, with frequent updates, renaming patterns, and new alias registrations.
Despite takedown efforts, at least 27 of the malicious packages remain accessible, emphasizing the challenges in responding to dynamic supply chain threats.
