Newsinterpretation

Shocking Surge in npm Malware Attacks as North Korean Hackers Deploy 67 Dangerous Packages

North Korean hackers have launched a major cyberattack campaign by uploading 67 fake software packages to npm, one of the most widely used platforms by developers. These packages do not come harmless—they carry dangerous malware that can silently take control of a user’s computer. Users downloaded them more than 17,000 times before anyone detected the threat.

The hackers have been quietly running the malware campaign as part of a wider operation known as “Contagious Interview” for some time. However, this new wave is more powerful than before and includes a newly discovered malware known as XORIndex. The hackers specifically designed this tool to avoid detection, using clever hiding methods like encoded strings and index tricks to evade security systems.

Eighteen separate accounts, each linked to different email addresses, uploaded the fake packages, making it difficult to track down the people behind them. At the time of the discovery, 27 of these dangerous packages were still active and available for download, posing a serious risk to users around the world.

How the Malware Enters and Spreads

The malware named XORIndex is triggered the moment a user installs one of the infected packages. It works in the background using a method that runs silently after installation, meaning users don’t even realize something is wrong. Once activated, the malware begins collecting detailed information about the computer and the person using it. This includes details like the computer’s name, the user’s name, internet address, physical location, and the type of operating system the person uses.

The hackers then secretly send all of this information to servers they control.To avoid detection, the hackers use hosting services that appear trustworthy, like Vercel. They design web addresses to look like real tools but actually use them to transmit stolen information and receive new commands. This clever use of trusted platforms makes the attack much harder to detect.

XORIndex is not just a one-step attack. It acts as a doorway for more harmful software. After it collects the first round of data, it fetches a second malware called BeaverTail. That one, in turn, opens another secret channel using a hidden backdoor tool known as InvisibleFerret. This entire setup allows hackers to stay inside an infected system for a long time without being noticed.

Thousands at Risk from Rapidly Spreading Malware

The speed and scale of the attack are what make it truly worrying. In just two months, XORIndex malware was downloaded over 9,000 times. At the same time, an older piece of malware called HexEval continued to infect more systems with another 8,000 downloads from newly identified fake packages.

These fake packages were carefully designed to look like useful developer tools, so people trusted them. But once installed, they silently connected back to the hacker’s servers and followed any instructions sent from there. This could include stealing login details, accessing cryptocurrency wallets, or even taking control of the entire system.

Invisible Invasion? Spy-Like Google Ads in Iran Spark Fears of Psychological Warfare

Security researchers from Socket.dev found that the malware used smart ways to stay hidden. Unlike basic malware that simply runs harmful commands, XORIndex was built with multiple layers. It first gathered data. Then it waited for instructions. After that, it executed those instructions while staying hidden. The malware switched between different web addresses to keep the attack running, even if one link got blocked.

This campaign specifically targets software developers, people who work with sensitive login systems, and individuals who hold or manage cryptocurrency. Since developers often use npm to add features to apps, many may have unknowingly installed these infected packages into larger systems or company software, spreading the danger even further.

This incident highlights how software supply chains are becoming a growing target for cyber attackers. By hiding malware in tools that people trust, attackers are able to slip past security measures and reach thousands of victims without raising alarms. The XORIndex campaign is one of the most complex and damaging examples of this tactic in recent months.

Renuka Bangale
Renuka is a distinguished Chartered Accountant and a Certified Digital Threats Analyst from Riskpro, renowned for her expertise in cybersecurity. With a deep understanding of cybercrimes, malware, cyber warfare, and espionage, she has established herself as an authority in the field. Renuka combines her financial acumen with advanced knowledge of digital threats to provide unparalleled insights into the evolving landscape of information security. Her analytical prowess enables her to dissect complex cyber incidents, offering clarity on risks and mitigation strategies. As a key contributor to Newsinterpretation’s information security category, Renuka delivers authoritative articles that educate and inform readers about emerging threats and best practices.

TOP 10 TRENDING ON NEWSINTERPRETATION

WestJet Reveals Passenger Data Breach Raising Security Concerns

Suspicious Activity Detected in June Canadian airline WestJet has confirmed...

Japanese beer giant Asahi confirms cyberattack halts shipping and ordering in Japan temporarily

Japanese beer giant Asahi has confirmed a cyber attack...

Leaked emails expose Epstein’s secret hand in Israel–Mongolia security pact with Barak

A new set of leaked emails shows Jeffrey Epstein...

Award stage turns battlefield as Harris brands Trump an unchecked, incompetent and unhinged President

Kamala Harris, the former vice president and 2024 Democratic...

Newsom office doubles down on fascist label for Miller citing his political actions and views

Newsom’s Office Takes a Bold Stance California Governor Gavin Newsom’s...

The privacy-first app that just blew past 350,000 new users a day

Explosive Growth Surprises Users Arattai, the messaging app developed by...

Federal firepower hits AOC’s Queens district as FBI targets Roosevelt Avenue crime empire

The FBI has moved into action in Queens, New...

Book bombshell: Harris says Newsom never called back after dismissive ‘Hiking’ message

Former Vice President Kamala Harris is making headlines again,...

South Korea reels from wave of cyberattacks — nearly 1 million personal records stolen in 2025

Cyberattacks on South Korea’s state agencies have reached alarming...

Kristi Noem Accused of Rushing Millions to Florida Pier Near Rumored Lover’s Home

Homeland Security Secretary Kristi Noem faces serious questions. A...

WestJet Reveals Passenger Data Breach Raising Security Concerns

Suspicious Activity Detected in June Canadian airline WestJet has confirmed...

Newsom office doubles down on fascist label for Miller citing his political actions and views

Newsom’s Office Takes a Bold Stance California Governor Gavin Newsom’s...

The privacy-first app that just blew past 350,000 new users a day

Explosive Growth Surprises Users Arattai, the messaging app developed by...

Book bombshell: Harris says Newsom never called back after dismissive ‘Hiking’ message

Former Vice President Kamala Harris is making headlines again,...
error: Content is protected !!
Exit mobile version