A new wave of supply-chain assaults has seen North Korean hackers publish more than 300 malicious npm packages, infecting developer systems with sophisticated malware that steals credentials and crypto assets. The campaign, known as “Contagious Interview,” exploits the trust developers place in open-source tools by cloaking malware inside packages mimicking legitimate ones.
The Socket Threat Research Team disclosed that attackers uploaded 338 malicious npm modules, collectively downloaded over 50,000 times, many featuring a newly observed loader named XORIndex. About 27 of them remain active in the npm registry. Within those packages, XORIndex collects host metadata and downloads a second-stage payload, BeaverTail, which in turn leverages a backdoor called InvisibleFerret to maintain persistence and exfiltrate data. This expansion follows a preceding June surge of 35 malicious modules using a HexEval loader.
Researchers emphasise that Contagious Interview is not a static campaign but a dynamic interplay between defenders and adversaries. As packages are taken down, attackers quickly reissue variants under fresh aliases or change loader techniques. The latest 67-package load pushed last month illustrates this cat-and-mouse escalation: the new modules alone exceeded 17,000 downloads. Attackers have mixed XORIndex and HexEval in parallel deployments, suggesting modular development and adaptability.
The campaign’s social engineering backbone remains key. Actors pose as recruiters or HR contacts on platforms like LinkedIn, targeting software engineers or job-seekers. They offer interview assignments that require cloning a GitHub or Bitbucket repository, with the malicious npm module embedded deep in the project. Because many developers run these projects outside sandboxed environments, the malicious loader quietly executes and bridges the gap to full system compromise.
Analysts attribute Contagious Interview to DPRK-aligned threat groups tracked under names such as CL-STA-0240, DeceptiveDevelopment, Tenacious Pungsan and Void Dokkaebi. The methodology aligns with patterns shown by the Lazarus Group and its affiliates, as attackers continue to weaponise open source ecosystems for espionage and financial theft. XorIndex and HexEval share infrastructure and tactics, including encrypted communication with command-and-control servers. In several cases, submitters of the malicious packages have crafted repository names containing “interview,” reflecting the campaign motif.
Beyond npm, the campaign’s reach extends: some modules reference Bitbucket repositories, and similar tactics have appeared in PyPI package attacks. The broader goal appears dual: accessing developer environments to steal intellectual property or credentials and siphoning cryptocurrencies from wallets detected on compromised machines.
Security firms and registry maintainers have responded with takedown requests and account suspensions. Socket reported removing six live HexEval-based modules earlier this year, and the npm security team has collaborated to suspend associated accounts. But defenders admit the reactive posture is fragile; attack waves resurface within hours.