North Korean threat actors are actively distributing malicious npm packages as part of the Contagious Interview campaign, aiming to compromise developers and open-source ecosystems. They use evolving malware loaders like XORIndex and HexEval to deploy tools such as BeaverTail and InvisibleFerret for data theft and backdoor access. #ContagiousInterview #XORIndex #HexEval #BeaverTail #InvisibleFerret
Keypoints
- North Korean actors continue to distribute malicious npm packages through the Contagious Interview campaign.
- The campaign involves using evolving malware loaders like XORIndex and HexEval to infect systems.
- Malicious packages serve as a conduit for the BeaverTail JavaScript loader and stealer, and deploy a Python backdoor called InvisibleFerret.
- The activity targets developers and employs a whack-a-mole approach with constant new variants.
- Threat actors are diversifying their malware portfolio, reusing loaders, and deploying new variants with stealthier capabilities.
Read More: https://thehackernews.com/2025/07/north-korean-hackers-flood-npm-registry.html