**Supply Chain Alert: North Korean “PolinRider” Campaign Targets Developers With Malicious Packages**
A North Korea-linked cyber espionage group has been actively distributing malicious software through popular code repositories, according to a recent analysis. The campaign, codenamed **PolinRider**, continues to evolve and poses a significant threat to software supply chains, particularly targeting developers in the cryptocurrency sector.
**Multi-Platform Threat**
Security researchers have identified 162 malicious release artifacts across four major platforms: npm, Packagist (Composer), Go modules, and Google Chrome. These artifacts encompass 108 unique packages and browser extensions, including 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension. The campaign remains active, with new packages likely to appear as threat actors compromise legitimate maintainer accounts.
**Deceptive Tactics**
PolinRider is part of a broader operation where attackers masquerade as recruiters or collaborators on professional platforms like LinkedIn and GitHub. They often use fake companies and AI-generated profiles to build trust with targets in the software and cryptocurrency industries. The goal is to trick victims into executing malicious code, often under the guise of a job interview or assessment.
The malware operates by implanting obfuscated JavaScript payloads into public repositories. These payloads can be delivered through malicious VS Code task files or infected packages. Once executed, the malware searches for common configuration files—such as `postcss.config.mjs`, `tailwind.config.js`, and `eslint.config.mjs`—and appends malicious code to them. It even uses Windows batch scripts to alter Git commit histories, making the malicious changes appear to be legitimate work from the original author.
**Latest Attack Chain**
The most recent wave of PolinRider malware functions as a loader that contacts blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain. It then downloads a second-stage payload that unleashes the DEV#POPPER Remote Access Tool (RAT) and OmniStealer, enabling comprehensive system compromise and data theft.
**Recommendations for Developers**
Given the sophistication and persistence of these attacks, security experts advise extreme caution. Users who have installed suspicious packages should consider their environments compromised. Key mitigation steps include:
– Rotating all exposed secrets from a clean, trusted machine.
– Removing affected package versions and rebuilding from a known-good lockfile.
– Auditing development workstations for suspicious changes to configuration files like `.vscode/tasks.json`, `config.js`, `vite.config.js`, and `eslint.config.js`.
—
*Original Source: “North Korean threat actors linked to Contagious Interview campaign found publishing 108 malicious packages” by Socket Security, published in The Register.*



