North Korean Hackers Publish 108 Malicious Packages and Extensions in Ongoing PolinRider Campaign

turtle news
0
North Korean Hackers Publish 108 Malicious Packages and Extensions in Ongoing PolinRider Campaign

Image source: blogger.googleusercontent.com

Campaign Overview and Scale

PolinRider activity expands across multiple ecosystems

North Korean threat actors linked to the Contagious Interview campaign have published 108 unique malicious packages and browser extensions across npm, Packagist, Go, and Google Chrome as part of an ongoing operation called PolinRider. According to a security analysis published this week by Socket researcher Karlo Zanki, the campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions.

The 162 malicious release artifacts span multiple versions corresponding to 108 unique packages and extensions. This includes 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. The activity was first flagged by the OpenSourceMalware team in March 2026, which described it as involving threat actors implanting malicious obfuscated JavaScript payloads in hundreds of public GitHub repositories to deliver a new variant of BeaverTail, a known JavaScript malware associated with Contagious Interview.

Attack Chain and Infrastructure

Blockchain services used for second-stage payload delivery

In the latest wave, the payload functions as a JavaScript malware loader that reaches out to blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain services, to fetch an encrypted second-stage payload. This payload unpacks to DEV#POPPER RAT and OmniStealer, as detailed by eSentire in March 2026. The use of blockchain services for command-and-control communication marks a notable evolution in the campaign's tradecraft, making detection and takedown more challenging.

Once executed, the malware searches the infected computer for specific configuration files—such as postcss.config.mjs, tailwind.config.js, eslint.config.mjs, next.config.mjs, babel.config.js, and app.js—and appends malicious JavaScript code to them. It also uses a Windows batch script to stealthily modify the last commit, making it appear as if changes were made by the original author. Similar tools are suspected to be used for rewriting Git history on Linux and macOS systems.

Compromise Method and Developer Targeting

VS Code extensions and npm packages as entry points

As of April 11, 2026, the activity has compromised 1,951 public GitHub repositories belonging to 1,047 unique owners. The campaign has also merged with another cluster called TaskJacker, which drops malicious VS Code task files into existing GitHub repositories. These VS Code tasks include the "runOn: 'folderOpen'" option, triggering arbitrary code execution when the folder is opened as a workspace in an IDE like VS Code or Cursor.

Contrary to initial assumptions, the threat actors are not using stolen GitHub credentials. Instead, victims are compromised via a malicious VS Code extension or npm package. It is believed that attackers are taking over maintainer accounts, likely through expired domain takeover or another account recovery path. The campaign targets software developers and individuals in the cryptocurrency sectors, using persuasive job interviews and assessments to trick them into executing malicious code. Attackers masquerade as recruiters or collaborators on platforms like LinkedIn, GitHub, or freelance websites, often setting up elaborate front companies and AI-generated employee profiles to build trust.

Tactical Overlaps and Detection Challenges

Git history rewriting and hidden execution paths complicate defense

The core tradecraft remains consistent across the campaign: threat actors plant obfuscated JavaScript loaders in legitimate repositories, conceal the code through whitespace padding or fake .woff2 font files, and trigger execution through developer tooling such as VS Code task files. The threat actors use Git history rewriting, including force pushes and anti-dated commits, to make malicious changes appear older and less suspicious. This makes the GitHub landing page and visible commit history unreliable indicators of compromise.

Socket researcher Karlo Zanki emphasized that defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files. The development comes as JFrog uncovered a cluster of npm packages linked to Contagious Interview, some of which masqueraded as Rollup polyfill tools to enable remote access and data theft. Another set of npm packages and Go packages was identified as incorporating VS Code auto-run tasks to run JavaScript payloads disguised as fake font files, indicating tactical overlaps between Fake Font, TaskJacker, and PolinRider.

Users who have installed these packages should treat the environment as compromised, rotate exposed secrets from a clean machine, remove affected versions and rebuild from a known good lockfile, and audit developer workstations and repositories for hidden execution paths or suspicious commits that have modified .vscode/tasks.json, config.js, vite.config.js, and eslint.config.js files.

Based on reporting from thehackernews.com

Post a Comment

0 Comments
Post a Comment (0)

#buttons=(Got it) #days=(180)

This site uses cookies and similar technologies for core functionality, analytics, measurement, and advertising. Google and third-party partners may use cookies to serve and measure ads. Read our Privacy Policy and Cookie Policy.
Got it
To Top