Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader

The Socket Threat Research Team has uncovered a new North Korean software supply chain attack involving a previously unreported malware loader we call XORIndex. This activity is an expansion of the campaign we reported in June 2025, which deployed the HexEval Loader. In this latest wave, the North Korean threat actors behind the Contagious Interview operation infiltrated the npm ecosystem with 67 malicious packages, collectively downloaded more than 17,000 times. 27 of these packages remain live on the npm registry. We have submitted takedown requests to the npm security team and petitioned for the suspension of the associated accounts.

The full list of packages is provided in the IOCs section of this report. Based on current patterns, we assess that additional packages tied to the XORIndex and HexEval Loader campaigns are likely to surface. The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or slightly evolved playbooks.

The HexEval Loader campaign shows no signs of slowing down, as the threat actors continue uploading malicious packages to the npm registry. With the emergence of the XORIndex Loader (named for its use of XOR-encoded strings and index-based obfuscation) they have expanded their tooling with a new loader, also designed to evade detection.

For full article, visit: Socket