XORIndex: North Korea’s Evolving Supply Chain Malware Targets npm Ecosystem Again

A new chapter in the ongoing Contagious Interview campaign has emerged, as the Socket Threat Research Team unveils a fresh wave of malicious activity tied to North Korean state-backed actors. This wave introduces a stealthy malware loader dubbed XORIndex, designed to infiltrate software supply chains via the npm registry.

This campaign is not a one-off attack but rather part of a persistent and evolving operation that continues to target developers, job seekers, and individuals with cryptocurrency assets or sensitive credentials.

The latest attack wave saw 67 malicious npm packages, including 28 carrying XORIndex, uploaded to the registry between June and July 2025. Alarmingly, 27 of them remain live at the time of reporting. In total, these packages were downloaded over 17,000 times.

This campaign follows the group’s earlier activity involving the HexEval Loader and demonstrates a “whack-a-mole” dynamic, as defenders detect and report packages, only for attackers to quickly upload new variants.

“We assess that additional packages tied to the XORIndex and HexEval Loader campaigns are likely to surface,” warned Socket.

Named for its use of XOR-encoded strings and index-based obfuscation, XORIndex is a multi-stage malware loader embedded in seemingly benign npm packages. Upon installation, it:

1. Collects host metadata (hostname, username, IP address, geolocation)
2. Exfiltrates data to hardcoded Command and Control (C2) endpoints such as:
   • https://log-writter[.]vercel[.]app/api/ipcheck
   • https://soc-log[.]vercel[.]app/api/ipcheck
3. Executes attacker-supplied JavaScript payloads using eval()
4. Loads second-stage malware like BeaverTail, which then fetches InvisibleFerret, a known backdoor

“Upon installation, eth-auditlog collects local host telemetry… and subsequently executes arbitrary JavaScript code via eval(), loading the second-stage malware BeaverTail,” the report noted.

The BeaverTail malware, executed after XORIndex, scans the victim’s system for cryptocurrency wallets and browser extensions, collecting files from:

• MetaMask, Coinbase Wallet, Phantom, TronLink
• Config directories like:
  • /Library/Application Support/Exodus/
  • /.config/solana/solana_id.json
  • macOS keychain files
• Chromium and Firefox browser profiles

Collected data is compressed into a ZIP archive and uploaded to: http://144[.]217[.]86[.]88/uploads.

BeaverTail also fetches InvisibleFerret, the third-stage malware, and executes it in memory.

“Exfiltrated contents include wallet databases, browser extension local storage, macOS keychain credentials, Solana IDs, and wallet-related JSON files.”

The report outlines the deliberate evolution of XORIndex from bare-bones prototypes to fully featured malware loaders:

• postcss-preloader: Basic beacon and eval, no obfuscation
• js-log-print: Added reconnaissance but buggy IP handling
• dev-filterjs: Introduced string-level obfuscation using ASCII buffers
• cronek: Full-featured XOR-based string hiding, endpoint rotation, and stealth

“The XORIndex Loader exhibits a deliberate and rapid evolution from proof-of-concept to fully featured malware loader.”

With the reuse of hardcoded C2 infrastructure, modular loader architecture, and targeting of trusted open-source ecosystems, this campaign highlights the increasing sophistication of North Korea’s offensive cyber operations.

Socket urges developers and the open-source community to remain vigilant:

“Their focus remains on infiltrating software supply chains and targeting developers, job seekers, and individuals they believe possess cryptocurrency or sensitive credentials.”

Related Posts:

• North Korean APT Lazarus Uses Malicious npm Package to Target Developers
• Cyber Espionage Campaign: North Korean Actors Deploy BeaverTail and InvisibleFerret
• North Korean Hackers Launch Job Interview Scam to Deploy BeaverTail and InvisibleFerret Malware
• Developers Targeted: North Korean Hackers Deploy “BeaverTail” Malware via NFTs
• North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign