Newsinterpretation

Shocking Surge in npm Malware Attacks as North Korean Hackers Deploy 67 Dangerous Packages

North Korean hackers have launched a major cyberattack campaign by uploading 67 fake software packages to npm, one of the most widely used platforms by developers. These packages do not come harmless—they carry dangerous malware that can silently take control of a user’s computer. Users downloaded them more than 17,000 times before anyone detected the threat.

The hackers have been quietly running the malware campaign as part of a wider operation known as “Contagious Interview” for some time. However, this new wave is more powerful than before and includes a newly discovered malware known as XORIndex. The hackers specifically designed this tool to avoid detection, using clever hiding methods like encoded strings and index tricks to evade security systems.

Eighteen separate accounts, each linked to different email addresses, uploaded the fake packages, making it difficult to track down the people behind them. At the time of the discovery, 27 of these dangerous packages were still active and available for download, posing a serious risk to users around the world.

How the Malware Enters and Spreads

The malware named XORIndex is triggered the moment a user installs one of the infected packages. It works in the background using a method that runs silently after installation, meaning users don’t even realize something is wrong. Once activated, the malware begins collecting detailed information about the computer and the person using it. This includes details like the computer’s name, the user’s name, internet address, physical location, and the type of operating system the person uses.

The hackers then secretly send all of this information to servers they control.To avoid detection, the hackers use hosting services that appear trustworthy, like Vercel. They design web addresses to look like real tools but actually use them to transmit stolen information and receive new commands. This clever use of trusted platforms makes the attack much harder to detect.

XORIndex is not just a one-step attack. It acts as a doorway for more harmful software. After it collects the first round of data, it fetches a second malware called BeaverTail. That one, in turn, opens another secret channel using a hidden backdoor tool known as InvisibleFerret. This entire setup allows hackers to stay inside an infected system for a long time without being noticed.

Thousands at Risk from Rapidly Spreading Malware

The speed and scale of the attack are what make it truly worrying. In just two months, XORIndex malware was downloaded over 9,000 times. At the same time, an older piece of malware called HexEval continued to infect more systems with another 8,000 downloads from newly identified fake packages.

These fake packages were carefully designed to look like useful developer tools, so people trusted them. But once installed, they silently connected back to the hacker’s servers and followed any instructions sent from there. This could include stealing login details, accessing cryptocurrency wallets, or even taking control of the entire system.

Invisible Invasion? Spy-Like Google Ads in Iran Spark Fears of Psychological Warfare

Security researchers from Socket.dev found that the malware used smart ways to stay hidden. Unlike basic malware that simply runs harmful commands, XORIndex was built with multiple layers. It first gathered data. Then it waited for instructions. After that, it executed those instructions while staying hidden. The malware switched between different web addresses to keep the attack running, even if one link got blocked.

This campaign specifically targets software developers, people who work with sensitive login systems, and individuals who hold or manage cryptocurrency. Since developers often use npm to add features to apps, many may have unknowingly installed these infected packages into larger systems or company software, spreading the danger even further.

This incident highlights how software supply chains are becoming a growing target for cyber attackers. By hiding malware in tools that people trust, attackers are able to slip past security measures and reach thousands of victims without raising alarms. The XORIndex campaign is one of the most complex and damaging examples of this tactic in recent months.

Renuka Bangale
Renuka is a distinguished Chartered Accountant and a Certified Digital Threats Analyst from Riskpro, renowned for her expertise in cybersecurity. With a deep understanding of cybercrimes, malware, cyber warfare, and espionage, she has established herself as an authority in the field. Renuka combines her financial acumen with advanced knowledge of digital threats to provide unparalleled insights into the evolving landscape of information security. Her analytical prowess enables her to dissect complex cyber incidents, offering clarity on risks and mitigation strategies. As a key contributor to Newsinterpretation’s information security category, Renuka delivers authoritative articles that educate and inform readers about emerging threats and best practices.

TOP 10 TRENDING ON NEWSINTERPRETATION

Newsom draws Megyn Kelly’s ire after sharing old Trump clips to boost online trolling campaign

A sharp exchange unfolded when a well-known media host...

Shocking Files Reveal Bill Clinton Letter in Epstein’s Infamous ‘Birthday Book’

Oversight Committee Releases New Epstein Records The House Oversight Committee...

McGregor channels Trump populism with Musk support in high-stakes Irish presidential race

In early September 2025, Ireland was taken by surprise...

Federal authorities seize $3 million in crypto linked to ransomware that hit US hospitals

Federal authorities have seized nearly $3 million worth of...

Bernie Sanders backs Zohran Mamdani in New York City mayor race citing grassroots momentum

A major political figure has stepped into the New...

JPMorgan handled $1.1 billion for Jeffrey Epstein despite warnings of criminal ties and reputation risk

JPMorgan Chase, one of America’s biggest banks, had a...

Qualys confirms limited Salesforce data access during Drift hacking campaign raising security concerns

Hackers accessed some Salesforce information from risk management company...

Ashley Hinson sparks clash with Newsom after claiming America should look more like Iowa

A sharp political exchange has broken out after U.S....

WSJ report says malware email linked to Chinese group aimed at U.S. tariff negotiations

U.S. authorities are investigating a suspicious email that carried...
error: Content is protected !!
Exit mobile version