Tech Journalism

North Korea-Linked PolinRider Campaign Expands Beyond npm to Go and Chrome

The North Korea-linked PolinRider campaign expanded across npm, Go, Packagist, Chrome extensions, GitHub repositories, and developer tools.

Published Updated 5 min read
#Security#Open Source#Supply Chain#North Korea#PolinRider#Contagious Interview#Socket#TaskJacker

The malicious npm packages disguised as Rollup components, recently attributed with varying confidence to North Korea-linked actors, appear to have been one operation among several campaigns run by the same broader activity cluster.

The Hacker News reported on PolinRider on July 4, citing research by security company Socket. According to the analysis, suspected North Korea-linked operators expanded their attack surface beyond npm to Go modules, Packagist packages, and a Chrome extension.

The Heal Joe previously covered malicious npm packages disguised as Rollup polyfills. The new analysis indicates that the Rollup incident was not PolinRider itself; it was a separate campaign operated concurrently by the same Contagious Interview activity cluster.

108 packages and an ongoing campaign

Socket security researcher Karlo Zanki said the campaign remained active and that more malicious packages were likely to appear. If an attacker obtains a maintainer account or publishing rights in a package registry, they can alter a legitimate repository or release a compromised version.

Socket identified 162 malicious release artifacts across 108 unique packages and browser extensions.

The affected set included 80 Go modules, 10 Packagist packages, and one Chrome extension. Based on the totals in Socket's report, the remaining 17 were npm-related packages.

The Hacker News linked the activity to Contagious Interview, a campaign that targets software developers and people working in the cryptocurrency industry.

Attackers impersonate recruiters or potential collaborators, then persuade a target to execute malicious code presented as an interview assignment or development test.

MITRE ATT&CK describes the associated actor as a North Korea-linked group active since 2023. Its targets include Windows, Linux, and macOS systems used by software developers and cryptocurrency professionals.

Malicious code hidden in legitimate repositories

A defining feature of PolinRider is its use of otherwise legitimate repositories. Attackers insert an obfuscated JavaScript loader into GitHub repositories that appear trustworthy. In some samples, the code was placed after a long run of whitespace so it would be easy to miss during a visual review.

The OpenSourceMalware team first disclosed PolinRider activity in March 2026 and identified the payload as a BeaverTail variant.

The team said the attackers did not necessarily use stolen GitHub credentials to compromise each victim. Instead, malicious VS Code extensions or npm packages infected users. Domain expiration and abuse of account-recovery processes were considered possible paths to account takeover, although the initial access method was not confirmed in every case.

The Hacker News reported that, as of April 11, 1,951 public GitHub repositories owned by 1,047 users had been affected. The activity later merged with a cluster called TaskJacker, which placed malicious VS Code task files in existing repositories.

Some cases included manipulation of Git history. Attackers used Windows batch scripts to rewrite the latest commit and make the change appear to have been made by the original author. Similar tools were suspected on Linux and macOS.

Force pushes and backdated commits made malicious changes look older than they were. Reviewing only a repository's landing page and most recent commit could therefore miss the compromise.

Development tools became the execution path

Once executed, the malware searched the infected machine for configuration files including postcss.config.mjs, tailwind.config.js, eslint.config.mjs, next.config.mjs, babel.config.js, and app.js. It appended malicious JavaScript to any matching files.

Newer variants used fake .woff2 font files. Adding runOn: "folderOpen" to a VS Code task allowed code to execute as soon as a folder was opened, turning VS Code and Cursor into delivery paths.

The decrypted loader contacted public blockchain infrastructure associated with TRON, Aptos, and BNB Smart Chain, then downloaded and executed an encrypted second-stage payload.

Socket identified DEV#POPPER and OmniStealer as follow-on malware observed in the campaign. Their capabilities included command execution, socket.io-client command-and-control communication, credential theft, browser-data theft, and wallet-data theft.

Investigate before deleting

Socket recommended treating systems that installed affected packages or extensions as compromised. Simply deleting the package may not be sufficient.

First, preserve forensic evidence before cleanup. Identify every machine that installed an affected version, remove the version, and rebuild from a known-good lockfile.

Secrets that may require rotation include npm, GitHub, PyPI, RubyGems, cloud, Vault, Kubernetes, Docker, SSH, Slack, Twilio, and CI/CD credentials. Rotation should be performed from an uncompromised device.

Repositories also require inspection. Teams should review .vscode/tasks.json, config.js, vite.config.js, eslint.config.js, and font or static-asset directories for unfamiliar commits. Visible commit history is not enough; GitHub activity logs and package-registry publication history should also be checked.

The case shows that an open-source supply-chain attack does not remain confined to one language ecosystem. The attackers combined repositories, package registries, and development tools. Trusted developer pathways became attack pathways.

Frequently asked questions

What is PolinRider?

PolinRider is supply-chain activity that abused npm, Go modules, Packagist packages, and a Chrome extension. Researchers assessed it as related to the North Korea-linked activity cluster commonly called Contagious Interview.

What does the number 108 represent?

It is Socket's count of unique packages and browser extensions. The set included 80 Go modules, 10 Packagist packages, and one Chrome extension. The remaining 17 are inferred from Socket's totals to be npm-related packages.

Is removing an infected package enough?

It may not be. Executed malware targeted credentials, browser data, and wallet information. Teams should investigate affected devices and repositories, then rotate credentials from a clean environment.

Unauthorized copying, redistribution, and automated scraping are not permitted. Please cite the original URL when referencing this article.

Related writing