Socket reports that North Korean Contagious Interview operators expanded their software supply-chain activity with 67 malicious npm packages, including 28 tied to the newly identified XORIndex loader and 39 new HexEval packages. XORIndex collects host metadata, posts it to hardcoded /api/ipcheck endpoints, and executes returned JavaScript that can load BeaverTail, with references to the InvisibleFerret third-stage backdoor. The activity targets the Node.js ecosystem, especially developers, job seekers, and people likely to hold cryptocurrency or sensitive credentials. BeaverTail enumerates wallet and browser-extension storage for MetaMask, Coinbase Wallet, Phantom, Exodus, Solana keys, macOS keychain data, and related files, then archives and exfiltrates them to infrastructure such as 144[.]217[.]86[.]88. The report matters because it shows the campaign continuing in parallel loader waves, with live npm packages, thousands of downloads, and rapid re-upload behavior after takedowns.