VYPR
researchPublished Jul 3, 2026· 1 source

North Korea-Linked PolinRider Campaign Poisons Open Source Repositories

North Korean threat actors are leveraging the PolinRider campaign to inject malicious JavaScript loaders into popular open source ecosystems, including npm, Packagist, and Go modules.

A sophisticated supply chain attack campaign, dubbed PolinRider and attributed to North Korean threat actors associated with the Contagious Interview and Famous Chollima activity clusters, is actively compromising open source repositories. Researchers have uncovered a widespread effort to hide malicious JavaScript loaders within legitimate-looking code packages across multiple platforms such as npm, Packagist, Go modules, and even Chrome extensions. This campaign represents an evolution of tactics previously seen where North Korean groups targeted developers with fake job offers and infected coding tests, now extending their reach directly into the software development supply chain.

The scale of the PolinRider campaign is significant, with researchers identifying at least 162 malicious artifacts spread across 108 unique packages and extensions. This includes a substantial number of compromised Go modules, Packagist packages, and a Chrome extension, demonstrating the attackers' broad reach and ability to poison diverse corners of the open source ecosystem simultaneously. The malicious code is often disguised within seemingly innocuous files, making it difficult for developers to detect during routine code reviews or package installations.

Attackers behind PolinRider employ a variety of obfuscation techniques to evade detection. Early iterations hid obfuscated JavaScript within configuration files like config.js. More recent versions have escalated to disguising the malicious script as a fake .woff2 font file, a format unlikely to be scrutinized by developers. The execution of these loaders is triggered through Visual Studio Code task files, specifically those configured to run automatically when a folder is opened, allowing for stealthy activation without direct user intervention.

Once executed, the JavaScript loader communicates with blockchain and public RPC services, including TRON, Aptos, and BNB Smart Chain networks. It leverages these connections to fetch an encrypted second-stage payload, which is then decrypted using an embedded XOR key and executed via the eval() function. The observed second-stage payloads, such as DEV#POPPER and OmniStealer, are designed for remote command execution and are capable of stealing sensitive information, including credentials and cryptocurrency wallet data.

A central element of the campaign appears to be a compromised GitHub account named Xpos587, which exhibited a pattern of bulk repository modifications on June 23rd. Repositories associated with this account, such as Xpos587/git2md and Xpos587/markfetch, along with the Artiffusion-Inc/mirofish project, were found to contain the malicious loaders. The attackers also utilized Git history rewriting techniques, including force pushes and backdated commits, to obscure the timeline of malicious activity and make the compromised code appear older than it actually is.

The campaign's expansion into the Packagist ecosystem involved a namespace named sevenspan, linked to the 7span organization, with the 7span/react-list package being among those affected. While maintainers have taken steps to remove some malicious files, the persistence of obfuscated code within configuration files highlights the challenges in fully eradicating such threats. Security teams are advised to treat any environment running an affected package as potentially compromised and to conduct thorough forensic investigations.

To mitigate the risks associated with the PolinRider campaign, security teams should preserve forensic evidence, rebuild systems from known good lock files, and rotate any exposed secrets from a clean machine. Auditing machines for suspicious Visual Studio Code tasks configured to run on folder open is also recommended. Furthermore, a thorough review of repositories for unusual modifications to files like tasks.json, config.js, and vite.config.js is crucial for identifying potential compromises.

Synthesized by Vypr AI