North Korea Expands Software Supply Chain Attacks with 67 Malicious npm Packages

Overview

Researchers at Socket have uncovered a new wave of malicious activity attributed to North Korean threat actors linked to the Lazarus Group. The ongoing Contagious Interview campaign now includes a novel malware loader dubbed XORIndex, embedded within 67 malicious packages uploaded to the npm registry.

These packages have been downloaded over 17,000 times, with at least 27 still active at the time of reporting. This campaign, which began surfacing again in April 2025, demonstrates increasing sophistication in software supply chain attacks and underscores the vulnerability of widely used development platforms such as npm.

Campaign Background: The Contagious Interview Operation

The Contagious Interview campaign, first reported in 2023, is a social engineering and malware distribution effort by North Korean state-sponsored actors. It targets developers and IT professionals under the guise of fake job offers—often via platforms like LinkedIn—and lures them into downloading malicious packages disguised as development tools.

Once the victim installs the infected software, a multi-stage malware chain is activated to profile the host, exfiltrate sensitive data, and ultimately deploy remote access tools for long-term compromise. In many cases, the goal is cryptocurrency theft, as well as access to credentials and enterprise environments.

XORIndex Loader: A New Stealth Tactic

The XORIndex loader is deployed through a postinstall script embedded in JavaScript packages hosted on npm. Once executed, it performs the following actions:

• Host Profiling: Collects system information such as hostname, OS type, username, and external IP address.
• Data Exfiltration: Sends telemetry to a hardcoded Command and Control (C2) address hosted on Vercel cloud infrastructure.
• Second-Stage Payload: Receives JavaScript-based payloads executed via eval()—typically deploying BeaverTail or InvisibleFerret malware.

This loader runs in parallel with a previously documented loader known as HexEval, indicating that Lazarus continues to evolve its tooling while reusing proven components in stealthier forms.

Second and Third-Stage Payloads

The XORIndex campaign chain includes:

BeaverTail:

• Searches system paths for data linked to desktop cryptocurrency wallets, browser extension storage, macOS Keychain credentials, and wallet-related JSON files.
• All harvested data is transmitted to a hardcoded IP address and immediately deleted locally to hinder forensic recovery.

InvisibleFerret:

• Acts as a third-stage backdoor, providing persistent access for lateral movement, further payloads, or direct command execution.

These components have been repeatedly used in Lazarus Group operations aimed at monetizing breaches through crypto-asset theft and espionage.

Malicious Package Details

Among the 67 packages discovered in this wave, the following were identified as impersonating legitimate libraries or mimicking naming conventions:

• vite-meta-plugin
• vite-postcss-tools
• vite-logging-tool
• vite-proc-log
• pretty-chalk
• postcss-preloader
• js-prettier
• flowframe
• figwrap
• midd-js, middy-js

All packages contain obfuscated code and scripts that attempt to appear benign while launching XORIndex during post-installation.

Socket confirmed that multiple npm accounts and 15 unique email addresses were used to distribute the malware, enabling repeated reinfection even after takedowns.

Supply Chain Risk and Evasion Techniques

The Lazarus Group’s repeated success in publishing malicious npm packages highlights several concerns:

• Typosquatting: Threat actors mimic legitimate package names to exploit careless installs.
• Automation Abuse: The attackers rely on scripted account creation and package publishing.
• Persistence via Rotation: After detection, new accounts and slightly modified packages are quickly published.

Socket researchers emphasize that defenders should expect ongoing iterations of malware loaders and packaging strategies designed to evade automated scanning and security tools.

Defensive Recommendations for CISOs

To defend against evolving software supply chain attacks like XORIndex, CISOs should implement the following:

1. Strict Dependency Audits
   Enforce the use of package whitelisting and source verification policies. Do not allow use of unvetted open-source components in production environments.
2. Automated Code Scanning Tools
   Employ security platforms capable of detecting malicious scripts and obfuscation within JavaScript packages (e.g., ReversingLabs, Socket, Snyk).
3. Isolated Execution Environments
   Ensure new libraries and tools are tested in sandboxed or virtualized environments before integration into developer machines.
4. Monitoring and Threat Hunting
   Proactively monitor for communications to known C2 infrastructure used by XORIndex, BeaverTail, and InvisibleFerret.
5. Developer Awareness Training
   Include supply chain compromise scenarios in awareness training for software engineers and DevOps personnel.
6. Incident Response Preparation
   Prepare for potential compromise from npm-based infections and ensure EDR solutions are capable of detecting suspicious postinstall behavior and eval() misuse.

KQL Query

Hereafter you find a Microsoft Defender Advanced Hunting (KQL) query that helps detect suspicious npm activity, particularly focusing on the installation or execution of packages potentially related to the XORIndex, BeaverTail, or InvisibleFerret malware loaders used in the recent campaign.

This query searches for:

• Suspicious npm install commands
• Execution of known package names
• Use of suspicious postinstall scripts
• Indicators of eval() usage
• Known or similar filenames

DeviceProcessEvents

| where Timestamp > ago(30d)

| where FileName =~ "npm.exe" or ProcessCommandLine contains "npm install"

| where ProcessCommandLine matches regex @"(?i)(vite-meta-plugin|vite-postcss-tools|vite-logging-tool|vite-proc-log|pretty-chalk|postcss-preloader|js-prettier|flowframe|figwrap|midd-js|middy-js)"

    or ProcessCommandLine contains "postinstall"

    or ProcessCommandLine contains "eval("

| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName

Conclusion

The re-emergence of XORIndex within the npm ecosystem demonstrates that North Korea’s Lazarus Group continues to refine its offensive tooling, combining technical malware development with social engineering and platform abuse. This campaign should serve as a wake-up call for organizations relying heavily on open-source libraries without robust vetting, especially in developer-heavy environments.

Supply chain security is no longer optional—it is a core pillar of enterprise cyber defense.

Sources:

• Socket.io Research Blog (July 14, 2025)
• BleepingComputer (Bill Toulas, July 15, 2025)
• CISOnode Analysis