North Korean actors infiltrated the npm repository by uploading 67 malicious packages, leading to over 17,000 downloads. The campaign is linked to the Contagious Interview operation targeting developers with fake job offers, encouraging them to install harmful software. Previously, 35 similar packages were used to deploy information stealers and backdoors. The newly introduced XORIndex Loader operates alongside other malware, collecting victim data and sending it to a command and control server. The malicious packages often disguise themselves with names resembling legitimate software projects.
North Korean threat actors successfully delivered a malware loader named XORIndex through 67 malicious packages on the npm repository, accumulating over 17,000 downloads.
The Contagious Interview campaign aims to exploit developers by using fake job offers that lead them to install malicious code, enabling information theft and cryptocurrency stealing.
These malicious packages often mimic genuine software project names to trick developers, and upon installation, they execute a script that activates the XORIndex Loader.
Once activated, XORIndex Loader gathers host data from the victim's system and communicates with a command and control server hosted on Vercel's infrastructure.
Collection
[
|
...
]