North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
North Korean threat actors linked to the "Contagious Interview" campaign launched the "PolinRider" operation, publishing 108 malicious packages and extensions across npm, Packagist, Go, and Chrome. The campaign compromises open-source repositories by implanting obfuscated JavaScript loaders and malicious VS Code task files that execute code upon folder opening. Attackers utilize sophisticated evasion techniques, including Git history rewriting, force pushes, and anti-dated commits, to conceal ma
Analysis
TL;DR
- North Korean threat actors linked to the "Contagious Interview" campaign launched the "PolinRider" operation, publishing 108 malicious packages and extensions across npm, Packagist, Go, and Chrome.
- The campaign compromises open-source repositories by implanting obfuscated JavaScript loaders and malicious VS Code task files that execute code upon folder opening.
- Attackers utilize sophisticated evasion techniques, including Git history rewriting, force pushes, and anti-dated commits, to conceal malicious changes from standard visual inspection.
- The final payload acts as a loader for DEV#POPPER RAT and OmniStealer, targeting cryptocurrency infrastructure via blockchain services like TRON, Aptos, and BNB Smart Chain.
Why It Matters
This incident highlights the escalating sophistication of state-sponsored supply chain attacks targeting the software development ecosystem, specifically leveraging developer trust and tooling workflows. It demonstrates how attackers are moving beyond simple credential theft to manipulate repository histories and IDE configurations, making detection significantly harder for security teams and individual developers.
Technical Details
- Attack Vectors: The campaign utilizes 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension. It also merges with the "TaskJacker" cluster to drop malicious
.vscode/tasks.jsonfiles that trigger execution via therunOn: 'folderOpen'directive. - Evasion Techniques: Threat actors employ Git history rewriting, including force pushes and anti-dated commits, to make malicious modifications appear as historical, legitimate changes. They also hide payloads using whitespace padding or disguise them as fake
.woff2font files. - Malware Functionality: The initial JavaScript loader searches for specific configuration files (e.g.,
postcss.config.mjs,tailwind.config.js) and appends malicious code. It then contacts blockchain infrastructure to fetch encrypted second-stage payloads. - Final Payloads: The unpacked payloads include DEV#POPPER RAT (Remote Access Trojan) and OmniStealer, designed to steal credentials and interact with cryptocurrency wallets and infrastructure.
- Compromise Scale: As of April 11, 2026, the activity had compromised 1,951 public GitHub repositories associated with 1,047 unique owners.
Industry Insight
- Audit Repository Logs: Security teams must move beyond visual inspection of commit histories. Regular audits of repository activity logs, package release metadata, and IDE configuration files are essential to detect anti-dated commits and hidden execution paths.
- Secure Development Workflows: Developers should treat environments that have installed unverified or suspicious packages as compromised. Immediate steps include rotating secrets from a clean machine, removing affected versions, and rebuilding from known good lockfiles.
- Tooling Vigilance: With attacks increasingly targeting IDE-specific features like VS Code tasks, organizations should enforce strict policies on third-party extensions and monitor for unauthorized changes to local configuration files such as
.vscode/tasks.json.
Disclaimer: The above content is generated by AI and is for reference only.