PolinRider Campaign: DPRK-Linked Supply Chain Attack Infects GitHub Repositories (Campaign)

PolinRider — a DPRK-linked supply chain campaign — has infected over 1,900 GitHub repositories through malicious npm packages, VS Code artifacts, and injected JavaScript payloads. The attackers use obfuscated injections into project files and weaponized developer tooling, retrieve XOR-encrypted second-stage code from blockchain networks for execution via eval(), maintain persistence and remote code execution via detached processes, and rewrite Git history to hide and push malicious changes, ultimately delivering an infostealer/Beavertail variant that enables credential theft and broad downstream compromise.