logo

GitHub Maintainer Accounts Compromised in PolinRider Campaign

ID: d0a2c0da-5fe8-5a85-8279-4427f79f92b1

STIX ID: report--d0a2c0da-5fe8-5a85-8279-4427f79f92b1

Feed Name: ThreatCluster

Threat Score
90/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

...
...

PolinRider is a multi-ecosystem supply‑chain campaign where threat actors compromised GitHub maintainer accounts to distribute 162 malicious release artifacts across 108 packages (npm, Go modules, Packagist and a Chrome extension). The attackers used obfuscated JavaScript loaders that execute in developer tools (notably VS Code), abused account recovery and rewrote Git history to evade detection; follow-on payloads include remote access and credential-stealing malware linked to a North Korean threat cluster.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.