PolinRider Supply Chain Attack Hits 108 Developer Packages

North Korea-linked PolinRider activity has spread across npm, Packagist, Go modules, and a Chrome extension. Developers should audit IDE tasks, config files, package releases, and secrets from a clean machine.

Socket researchers say the North Korea-linked PolinRider supply-chain campaign has expanded across npm, Packagist, Go modules, and Google Chrome extensions, with 162 malicious release artifacts tied to 108 unique packages and extensions.[1] The activity matters because it targets developer environments rather than only end users: a successful install can expose source code, package-registry tokens, cloud credentials, CI/CD secrets, and cryptocurrency wallets before the victim realizes a dependency or browser add-on was hostile.

The July 1 Socket report connects the current wave to the broader Contagious Interview / Famous Chollima cluster, a North Korea-aligned operation known for luring developers with fake job tasks and poisoned code projects.[1] The Hacker News surfaced the campaign on July 4, noting that the same tradecraft now spans 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension.[2] That cross-ecosystem spread is the reason this is more urgent than a single malicious package takedown.

PolinRider is not relying on one obvious payload file. Socket says the attackers plant obfuscated JavaScript loaders in legitimate repositories, hide code through whitespace padding or fake .woff2 font files, and trigger execution through developer tooling such as VS Code task files.[1] In some cases, Git history rewriting and anti-dated commits make malicious changes appear older and less suspicious, so a normal GitHub landing page can look clean while the activity log tells a different story.

OpenSourceMalware, which tracked PolinRider earlier in 2026, reported a large GitHub infection set and warned that JavaScript payloads were being appended to ordinary project configuration files.[3] That earlier research gives defenders an important clue: review postcss.config.mjs, tailwind.config.js, eslint.config.mjs, vite.config.js, next.config.mjs, app.js, and hidden .vscode/tasks.json entries rather than searching only for suspicious package names.

What developers should check now

Teams that installed affected PolinRider package or extension versions should treat the installing workstation as potentially compromised until proven otherwise. Socket’s guidance is blunt: preserve forensic artifacts, rebuild from known-good lockfiles, rotate exposed secrets from a clean machine, and audit repositories for hidden execution paths.[1] That sequence matters. Rotating tokens from the same possibly infected laptop can hand fresh credentials back to the loader.

The highest-value triage starts with package metadata and local developer tooling. Compare recent package releases against lockfiles, inspect registry publish times, look for force pushes or unexpected anti-dated commits, and review VS Code task configuration for auto-run behavior. If a developer opened a suspicious workspace in VS Code or Cursor, assume the workspace itself may have been used as the execution trigger.

Security teams should also hunt for outbound connections to blockchain and public RPC infrastructure used to fetch encrypted second-stage payloads. Socket observed loaders reaching TRON, Aptos, and BNB Smart Chain services, then decrypting payload material with embedded XOR keys and executing it with eval().[1] Observed follow-on payload names include DEV#POPPER and OmniStealer, which raises the risk from nuisance dependency malware to credential theft, command execution, browser-data theft, and wallet exfiltration.

This pattern fits a busy year for developer-targeted supply-chain attacks. HowToFix recently covered the Mastra npm easy-day-js attack, the Amazon Q Developer MCP RCE flaw, and Microsoft removing 119 malicious Edge extensions. PolinRider combines parts of all three themes: poisoned packages, developer tool execution, and browser-extension reach.

For maintainers, the practical response is to verify repository ownership and registry access paths, revoke stale tokens, require MFA on GitHub and package registries, and review whether abandoned domains can still recover maintainer accounts. For organizations consuming open source, the safer default is to pin dependencies, mirror known-good artifacts, block unreviewed post-install behavior where possible, and investigate any unexpected changes to JavaScript configuration files as suspicious until explained.

References

  1. Karlo Zanki, Socket Threat Research, “PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems,” July 1, 2026.
  2. Ravie Lakshmanan, The Hacker News, “North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign,” July 4, 2026.
  3. OpenSourceMalware, “PolinRider: DPRK Threat Actor Implants Malware in Hundreds of GitHub Repos,” updated April 11, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment