AI Security AI安全 6d ago Updated 6d ago 更新于 6天前 49

North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign 朝鲜黑客在PolinRider活动中发布108个恶意包和扩展程序

North Korean threat actors linked to the "Contagious Interview" campaign launched the "PolinRider" operation, publishing 108 malicious packages and extensions across npm, Packagist, Go, and Chrome. The campaign compromises open-source repositories by implanting obfuscated JavaScript loaders and malicious VS Code task files that execute code upon folder opening. Attackers utilize sophisticated evasion techniques, including Git history rewriting, force pushes, and anti-dated commits, to conceal ma 朝鲜黑客组织“Contagious Interview”发起名为“PolinRider”的供应链攻击,发布108个恶意npm、Packagist、Go包及Chrome扩展。 攻击者通过劫持维护者账户或在GitHub仓库中植入恶意代码,利用VS Code任务文件和伪造字体文件隐蔽执行载荷。 恶意载荷作为加载器,从TRON、Aptos等区块链基础设施获取第二阶段加密载荷,最终部署DEV#POPPER RAT和OmniStealer。 攻击者使用Git历史重写技术(强制推送、反日期提交)掩盖痕迹,导致常规提交历史审查失效,需审计活动日志。 受影响用户应立即视为环境已失陷,在干净机器上轮换密钥,移除受

75
Hot 热度
65
Quality 质量
70
Impact 影响力

Analysis 深度分析

TL;DR

  • North Korean threat actors linked to the "Contagious Interview" campaign launched the "PolinRider" operation, publishing 108 malicious packages and extensions across npm, Packagist, Go, and Chrome.
  • The campaign compromises open-source repositories by implanting obfuscated JavaScript loaders and malicious VS Code task files that execute code upon folder opening.
  • Attackers utilize sophisticated evasion techniques, including Git history rewriting, force pushes, and anti-dated commits, to conceal malicious changes from standard visual inspection.
  • The final payload acts as a loader for DEV#POPPER RAT and OmniStealer, targeting cryptocurrency infrastructure via blockchain services like TRON, Aptos, and BNB Smart Chain.

Why It Matters

This incident highlights the escalating sophistication of state-sponsored supply chain attacks targeting the software development ecosystem, specifically leveraging developer trust and tooling workflows. It demonstrates how attackers are moving beyond simple credential theft to manipulate repository histories and IDE configurations, making detection significantly harder for security teams and individual developers.

Technical Details

  • Attack Vectors: The campaign utilizes 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension. It also merges with the "TaskJacker" cluster to drop malicious .vscode/tasks.json files that trigger execution via the runOn: 'folderOpen' directive.
  • Evasion Techniques: Threat actors employ Git history rewriting, including force pushes and anti-dated commits, to make malicious modifications appear as historical, legitimate changes. They also hide payloads using whitespace padding or disguise them as fake .woff2 font files.
  • Malware Functionality: The initial JavaScript loader searches for specific configuration files (e.g., postcss.config.mjs, tailwind.config.js) and appends malicious code. It then contacts blockchain infrastructure to fetch encrypted second-stage payloads.
  • Final Payloads: The unpacked payloads include DEV#POPPER RAT (Remote Access Trojan) and OmniStealer, designed to steal credentials and interact with cryptocurrency wallets and infrastructure.
  • Compromise Scale: As of April 11, 2026, the activity had compromised 1,951 public GitHub repositories associated with 1,047 unique owners.

Industry Insight

  • Audit Repository Logs: Security teams must move beyond visual inspection of commit histories. Regular audits of repository activity logs, package release metadata, and IDE configuration files are essential to detect anti-dated commits and hidden execution paths.
  • Secure Development Workflows: Developers should treat environments that have installed unverified or suspicious packages as compromised. Immediate steps include rotating secrets from a clean machine, removing affected versions, and rebuilding from known good lockfiles.
  • Tooling Vigilance: With attacks increasingly targeting IDE-specific features like VS Code tasks, organizations should enforce strict policies on third-party extensions and monitor for unauthorized changes to local configuration files such as .vscode/tasks.json.

TL;DR

  • 朝鲜黑客组织“Contagious Interview”发起名为“PolinRider”的供应链攻击,发布108个恶意npm、Packagist、Go包及Chrome扩展。
  • 攻击者通过劫持维护者账户或在GitHub仓库中植入恶意代码,利用VS Code任务文件和伪造字体文件隐蔽执行载荷。
  • 恶意载荷作为加载器,从TRON、Aptos等区块链基础设施获取第二阶段加密载荷,最终部署DEV#POPPER RAT和OmniStealer。
  • 攻击者使用Git历史重写技术(强制推送、反日期提交)掩盖痕迹,导致常规提交历史审查失效,需审计活动日志。
  • 受影响用户应立即视为环境已失陷,在干净机器上轮换密钥,移除受影响版本并从已知良好的lockfile重建。

为什么值得看

该事件揭示了国家级APT组织如何利用开发者工具链(如VS Code、npm)和开源生态的信任机制进行复杂的多阶段供应链攻击,展示了攻击手段的隐蔽性和持续性。对于安全从业者和企业而言,这强调了传统代码审查的局限性,必须将供应链安全、依赖项完整性验证以及IDE配置审计纳入核心防御体系。

技术解析

  • 攻击载体与规模:涉及162个恶意发布制品,覆盖19个npm库、10个Composer包、61个Go模块和1个Chrome扩展。攻击者通过合并“TaskJacker”集群,向GitHub仓库注入包含runOn: 'folderOpen'选项的恶意VS Code任务文件,触发IDE打开时自动执行任意代码。
  • 隐蔽技术与历史篡改:攻击者不使用被盗凭据,而是通过过期域名接管或账户恢复路径劫持维护者账户。他们使用Windows批处理脚本修改最近提交,并疑似使用类似工具在Linux/macOS上重写Git历史,通过强制推送和反日期提交使恶意更改看起来更旧,从而规避基于可见提交历史的检测。
  • 载荷执行与混淆:核心战术是将混淆的JavaScript加载器植入合法仓库,利用空白填充或伪装成.woff2字体文件进行隐藏。一旦执行,恶意软件会搜索特定配置文件(如postcss.config.mjstailwind.config.js等)并附加恶意代码。
  • 后续载荷与基础设施滥用:最新波次的载荷作为JavaScript加载器,连接至TRON、Aptos和BNB Smart Chain等区块链服务以获取加密的第二阶段载荷。解密后部署DEV#POPPER RAT(远程访问木马)和OmniStealer(窃密工具),旨在针对软件开发人员和加密货币从业者窃取数据。

行业启示

  • 重构供应链信任模型:鉴于Git历史可被篡改且依赖包可能携带恶意逻辑,企业和开发者不能仅依赖包管理器或仓库可见性检查。必须实施严格的依赖项完整性校验(如SBOM、签名验证)和运行时行为监控,特别是在CI/CD流水线中。
  • 强化开发者工具链安全:VS Code等IDE的任务配置和插件系统成为新的攻击面。组织应限制IDE自动执行权限,审计.vscode/tasks.json等配置文件,并对开发工作站进行定期安全扫描,防止恶意载荷在本地环境中静默运行。
  • 提升威胁检测与响应能力:面对国家级攻击者的持久化技术和历史掩盖手段,传统的静态扫描已不足够。安全团队需结合动态分析、网络流量监测(特别是针对区块链节点的异常通信)以及详细的仓库活动日志审计,以识别潜伏的供应链攻击。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Open Source 开源 Security 安全