North Korean hackers have launched a major cyberattack campaign by uploading 67 fake software packages to npm, one of the most widely used platforms by developers. These packages do not come harmless—they carry dangerous malware that can silently take control of a user’s computer. Users downloaded them more than 17,000 times before anyone detected the threat.
The hackers have been quietly running the malware campaign as part of a wider operation known as “Contagious Interview” for some time. However, this new wave is more powerful than before and includes a newly discovered malware known as XORIndex. The hackers specifically designed this tool to avoid detection, using clever hiding methods like encoded strings and index tricks to evade security systems.
Eighteen separate accounts, each linked to different email addresses, uploaded the fake packages, making it difficult to track down the people behind them. At the time of the discovery, 27 of these dangerous packages were still active and available for download, posing a serious risk to users around the world.
How the Malware Enters and Spreads
The malware named XORIndex is triggered the moment a user installs one of the infected packages. It works in the background using a method that runs silently after installation, meaning users don’t even realize something is wrong. Once activated, the malware begins collecting detailed information about the computer and the person using it. This includes details like the computer’s name, the user’s name, internet address, physical location, and the type of operating system the person uses.
The hackers then secretly send all of this information to servers they control.To avoid detection, the hackers use hosting services that appear trustworthy, like Vercel. They design web addresses to look like real tools but actually use them to transmit stolen information and receive new commands. This clever use of trusted platforms makes the attack much harder to detect.
XORIndex is not just a one-step attack. It acts as a doorway for more harmful software. After it collects the first round of data, it fetches a second malware called BeaverTail. That one, in turn, opens another secret channel using a hidden backdoor tool known as InvisibleFerret. This entire setup allows hackers to stay inside an infected system for a long time without being noticed.
Thousands at Risk from Rapidly Spreading Malware
The speed and scale of the attack are what make it truly worrying. In just two months, XORIndex malware was downloaded over 9,000 times. At the same time, an older piece of malware called HexEval continued to infect more systems with another 8,000 downloads from newly identified fake packages.
These fake packages were carefully designed to look like useful developer tools, so people trusted them. But once installed, they silently connected back to the hacker’s servers and followed any instructions sent from there. This could include stealing login details, accessing cryptocurrency wallets, or even taking control of the entire system.
Invisible Invasion? Spy-Like Google Ads in Iran Spark Fears of Psychological Warfare
Security researchers from Socket.dev found that the malware used smart ways to stay hidden. Unlike basic malware that simply runs harmful commands, XORIndex was built with multiple layers. It first gathered data. Then it waited for instructions. After that, it executed those instructions while staying hidden. The malware switched between different web addresses to keep the attack running, even if one link got blocked.
This campaign specifically targets software developers, people who work with sensitive login systems, and individuals who hold or manage cryptocurrency. Since developers often use npm to add features to apps, many may have unknowingly installed these infected packages into larger systems or company software, spreading the danger even further.
This incident highlights how software supply chains are becoming a growing target for cyber attackers. By hiding malware in tools that people trust, attackers are able to slip past security measures and reach thousands of victims without raising alarms. The XORIndex campaign is one of the most complex and damaging examples of this tactic in recent months.
