Skip to main content
Emerging ThreatsMalware & Ransomware

North Korean Hackers Publish 108 Malicious Packages in PolinRider Campaign

Cluttered software development workspace with computer screens and terminals, one central laptop lid slightly ajar.

108 unique packages and web browser extensions — spanning npm, Packagist, Go, and Google Chrome — have been published by North Korea–aligned threat actors as part of an active campaign investigators call PolinRider.

PolinRider: scope, timeline, and scale

Researchers say PolinRider is a major distribution arm of the Contagious Interview campaign. Socket security researcher Karlo Zanki reported this week that the operation has produced 162 malicious release artifacts across 108 unique packages and extensions: 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. OpenSourceMalware first flagged PolinRider in March 2026, and the activity is described as ongoing.

As of April 11, 2026, OpenSourceMalware counted compromises in 1,951 public GitHub repositories belonging to 1,047 unique owners. Investigators also report PolinRider has merged tactically with a cluster called TaskJacker, which drops malicious VS Code task files into existing repositories.

Tradecraft: Git history rewriting, VS Code auto-run tasks, and obfuscated payloads

Researchers outline a repeatable set of techniques. Zanki warned that “the threat actor is not using stolen GitHub credentials,” and OpenSourceMalware added that victims appear to be compromised via a malicious VS Code extension or npm package. Once footholds are achieved, attackers plant obfuscated JavaScript loaders in legitimate repositories and conceal them with whitespace padding or fake .woff2 font files.

The adversary uses VS Code task files to trigger execution — including tasks configured with the explicit option "runOn: 'folderOpen'". Malicious VS Code tasks have been used to run JavaScript payloads disguised as fake font files. Zanki noted the actor “uses Git history rewriting, including force pushes and anti-dated commits to make malicious changes appear older and less suspicious,” reducing the reliability of the visible GitHub landing page and commit history as indicators of compromise.

Payload chain: blockchain fetches and commodity stealers

When executed, the JavaScript loader reaches out to blockchain infrastructure — researchers named TRON, Aptos, and BNB Smart Chain services — to retrieve an encrypted second-stage payload. eSentire detailed in March 2026 that the second-stage decrypts to DEV#POPPER RAT and OmniStealer, giving the attacker remote access and data-theft capabilities.

Distribution vectors and overlapping clusters: npm, Composer, Go, and Chrome

Attackers have published malicious versions and modified legitimate repositories to push infected package releases. JFrog uncovered a cluster of npm packages tied to Contagious Interview that masqueraded as Rollup polyfill tools, while other npm and Go packages were found incorporating VS Code auto-run tasks to execute JavaScript payloads. Investigators describe tactical overlaps between Fake Font, TaskJacker, and PolinRider.

Socket researchers warned that “the campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access.” The actors are believed to take over maintainer accounts via expired domain takeover or other account recovery paths.

What this means for open-source maintainers, enterprise security teams, and developers

  • Open-source maintainers: review package release metadata and repository activity logs; examine any force pushes or anti-dated commits and audit for hidden execution paths or suspicious changes to configuration files such as ".vscode/tasks.json", "config.js", "vite.config.js", and "eslint.config.js".
  • Enterprise security and procurement teams: treat any systems that installed affected packages as compromised, rotate exposed secrets from a clean machine, remove affected package versions, and rebuild from a known good lockfile.
  • Developers and workstations: audit local developer workstations and repositories for inserted loaders that append malicious code to configuration and build files (examples cited by researchers include "postcss.config.mjs", "tailwind.config.js", "eslint.config.mjs", "next.config.mjs", "babel.config.js", and "app.js").

Closing observation

The PolinRider activity ties a consistent set of developer-centric intrusions — recruiter-style social engineering, registry abuse, VS Code auto-run tasks, and Git history manipulation — into a supply-chain campaign that has produced more than a hundred distinct malicious packages and extensions. Investigators emphasize that visible repository pages and commit timestamps can be misleading after history rewriting; defenders are urged to inspect metadata, task configurations, and release artifacts rather than rely on the superficial commit log. As Socket put it, the campaign remains active, and new malicious packages are likely to continue appearing as attackers retain or obtain registry access.

Source: The Hacker News — North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign