North Korean APT Expands Supply Chain Attack 'PolinRider' Across Multiple Ecosystems
A North Korean threat actor, known for the **Contagious Interview** campaign, has significantly broadened its supply chain attack efforts under the moniker **PolinRider**. This sophisticated operation now targets a wide array of ecosystems, including npm, Packagist, Go, and Google Chrome, by publishing over a hundred malicious packages and browser extensions. The campaign leverages compromised maintainer accounts and deceptive social engineering to inject malware into development workflows.
# North Korean APT Expands Supply Chain Attack 'PolinRider' Across Multiple Ecosystems
North Korean threat actors, previously linked to the **Contagious Interview** campaign, are actively expanding their supply chain attack operations, now dubbed **PolinRider**. This extensive campaign has seen the publication of 108 unique malicious packages and web browser extensions across prominent platforms like npm, Packagist, Go, and **Google Chrome**.

Karlo Zanki, a security researcher at **Socket**, highlighted the ongoing nature of the campaign, stating, "The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access." The analysis, published recently by Socket, details 162 malicious release artifacts corresponding to these 108 unique packages and extensions, including 19 npm libraries, 10 **Composer** packages, 61 **Go** modules, and one **Google Chrome** extension.
## The Contagious Interview Connection
**Contagious Interview** is a North Korea-aligned campaign that has been active since at least 2023. It primarily targets software developers and individuals in the cryptocurrency sector through elaborate job recruitment scams. Attackers impersonate recruiters or collaborators on platforms like **LinkedIn** and **GitHub**, often establishing sophisticated front companies and using AI-generated profiles to build trust before delivering malicious code.
## PolinRider's Evolution
**PolinRider** was initially identified by the **OpenSourceMalware** team in March 2026. At that time, it involved threat actors implanting obfuscated JavaScript payloads into hundreds of public **GitHub** repositories to deliver a variant of **BeaverTail**, a known JavaScript malware associated with **Contagious Interview**.
As of April 11, 2026, the campaign had compromised 1,951 public **GitHub** repositories belonging to 1,047 unique owners. It has also converged with another cluster known as **TaskJacker**, which injects malicious **VS Code** task files into existing **GitHub** repositories. These **VS Code** tasks utilize the `"runOn: 'folderOpen'"` option, enabling arbitrary code execution when a folder is opened as a workspace in IDEs like **VS Code** or **Cursor**.
**OpenSourceMalware** noted that the attackers are not using stolen **GitHub** credentials. Instead, they believe victims are compromised via malicious **VS Code** extensions or npm packages, suggesting a strategy of taking over maintainer accounts through methods like expired domain takeover or account recovery paths.
## Technical Modus Operandi
Upon execution, the malware scans the infected system for specific configuration files such as `"postcss.config.mjs"`, `"tailwind.config.js"`, `"eslint.config.mjs"`, `"next.config.mjs"`, `"babel.config.js"`, and `"app.js"`. If found, it appends malicious JavaScript code to them.
The threat actors also employ a Windows batch script to subtly modify the last commit, making it appear as if the changes were made by the original author. It is suspected that similar tools are used to rewrite Git history on other operating systems like **Linux** and **macOS**.
"The core tradecraft remains consistent across the campaign: threat actors plant obfuscated JavaScript loaders in legitimate repositories, conceal the code through whitespace padding or fake .woff2 font files, and trigger execution through developer tooling such as **VS Code** task files," **Socket** elaborated.
## Payload and Impact
The latest iteration of the payload functions as a JavaScript malware loader that communicates with blockchain infrastructure, including **TRON**, **Aptos**, and **BNB Smart Chain** services. This communication retrieves an encrypted second-stage payload, which unpacks into **DEV#POPPER RAT** and **OmniStealer**. This intricate attack chain was previously detailed by **eSentire** in March 2026.
Zanki emphasized the deceptive tactics used: "The threat actors use Git history rewriting, including force pushes and anti-dated commits to make malicious changes appear older and less suspicious." This makes traditional **GitHub** landing pages and visible commit histories unreliable indicators of compromise. Defenders are advised to scrutinize repository activity logs, package release metadata, **VS Code** task configurations, and any suspicious modifications to configuration files.
## Recent Discoveries and Mitigation
The expansion of **PolinRider** coincides with recent findings by **JFrog**, which uncovered a cluster of npm packages linked to **Contagious Interview**, some mimicking **Rollup** polyfill tools to facilitate remote access and data theft. Furthermore, another set of npm and Go packages was identified incorporating **VS Code** auto-run tasks to execute JavaScript payloads disguised as fake font files, highlighting tactical overlaps between **Fake Font**, **TaskJacker**, and **PolinRider** campaigns.
Organizations and individual users who have installed these compromised packages should immediately consider their environments compromised. Recommended actions include:
* Rotating exposed secrets from a clean machine.
* Removing affected package versions and rebuilding from a known good lockfile.
* Auditing developer workstations and repositories for hidden execution paths or suspicious commits that have modified files such as `".vscode/tasks.json"`, `"config.js"`, `"vite.config.js"`, and `"eslint.config.js"`.