In a new North Korean software supply chain attack, researchers have uncovered threat actors, linked to the Contagious Interview campaign, deploying 67 malicious npm packages collectively downloaded more than 17,000 times using a previously unreported XORIndex malware loader. This activity is an expansion of the campaign reported in June 2025, which deployed the HexEval Loader.
Details can be found here: https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages
Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:
“The extended attack surface for any enterprise due to the use of large language models (LLMs) has evolved in the past few years. It began with browser-based prompts of foundation models to SaaS applications using LLMs for enhanced features to LLMs usage in the software supply chain. The latter represents the most significant growth, partially fueled by threat actors from North Korea, including the Contagious Interview operation. Enterprises have a window of opportunity to improve identity security for those enterprise users with access to environments essential to software engineering, to shrink the enterprise attack surface.”
This illustrates the fact that companies have to have the smallest attack surface possible as the bad guys are looking for more and more attack vectors to exploit.
Like this:
Like Loading...
Related
This entry was posted on July 15, 2025 at 2:29 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
North Korean Hackers Hit npm Registry with New XORIndex Malware
In a new North Korean software supply chain attack, researchers have uncovered threat actors, linked to the Contagious Interview campaign, deploying 67 malicious npm packages collectively downloaded more than 17,000 times using a previously unreported XORIndex malware loader. This activity is an expansion of the campaign reported in June 2025, which deployed the HexEval Loader.
Details can be found here: https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages
Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:
“The extended attack surface for any enterprise due to the use of large language models (LLMs) has evolved in the past few years. It began with browser-based prompts of foundation models to SaaS applications using LLMs for enhanced features to LLMs usage in the software supply chain. The latter represents the most significant growth, partially fueled by threat actors from North Korea, including the Contagious Interview operation. Enterprises have a window of opportunity to improve identity security for those enterprise users with access to environments essential to software engineering, to shrink the enterprise attack surface.”
This illustrates the fact that companies have to have the smallest attack surface possible as the bad guys are looking for more and more attack vectors to exploit.
Share this:
Like this:
Related
This entry was posted on July 15, 2025 at 2:29 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.