Supply Chain Security

North Korean Hackers Target Open Source Developers in Supply Chain Attacks 

The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer to developers.

North Korea hackers

North Korean hackers are targeting open source software developers with a backdoor and an information stealer as part of a broad supply chain campaign, Socket reports.

Referred to as PolinRider, the campaign has been ongoing since December 2025, using compromised GitHub repositories injected with JavaScript loaders leading to the DEV#POPPER remote access trojan (RAT) and the OmniStealer information stealer.

Associated with the broader Contagious Interview operation, which includes tactics also seen in the DeceptiveDevelopment, Operation Dream Job, and ClickFake Interview campaigns, PolinRider is targeting developers across NPM, Packagist, Go modules, and Chrome extensions.

To date, Socket has identified 162 malicious release artifacts across 108 unique packages, with more expected to emerge as the campaign continues.

As part of the attacks, the threat actor compromises maintainer accounts to tamper with legitimate repositories and push infected packages. Additionally, the attackers rely on Git history rewriting to make the malicious changes appear older.

The compromised repositories contain obfuscated JavaScript loaders that connect to the blockchain and public remote procedure call (RPC) infrastructure to retrieve encrypted payloads.

Advertisement. Scroll to continue reading.

Among the incidents associated with PolinRider, Socket identified the compromise of Xpos587, a GitHub account that maintains several repositories that were modified on June 23 during a small timeframe.

Recently, the campaign expanded to Packagist, where multiple packages under the sevenspan namespace were compromised. The attackers hid the malicious loaders in configuration files that were not identified during the cleanup operation.

“Teams that installed any affected package or extension version should treat the installation environment as potentially compromised until reviewed. Because PolinRider targets developer environments and may expose package registry, source code, cloud, and CI/CD credentials, remediation should be performed from a clean machine, not from the potentially infected host,” Socket notes.

Related: North Korean Hackers Blamed for Mastra NPM Supply Chain Attack

Related: North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks

Related: $290 Million Kelp DAO Crypto Heist Blamed on North Korea

Related: North Korean Hackers Target High-Profile Node.js Maintainers

Related Content

Artificial Intelligence

Decades-old Bash shell tricks can bypass safeguards in most open source AI coding agents, potentially turning malicious repositories into supply chain attack vectors.

Data Breaches

Roughly two dozen companies have notified their customers of the Klue-Salesforce incident impact.

Supply Chain Security

A malicious dependency the attackers added to over 140 Mastra packages fetches a payload targeting cryptocurrency extensions.

Data Breaches

HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, and Tanium are among the affected Klue customers.

Supply Chain Security

The hackers exfiltrated data from Salesforce instances of Klue customers, such as Huntress and Recorded Future.

Malware & Threats

Arch Linux suspended account registrations in response to the wave of malicious packages being uploaded to AUR.

Malware & Threats

The most recent variants of the self-propagating attacks are named Miasma and Hades.

Supply Chain Security

Hackers published 96 malicious package versions, injected with a credential-stealing worm similar to Mini Shai-Hulud.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version