logo

PolinRider DPRK Attack Expands Across GitHub

ID: 9b35a3b2-cfb1-59f0-9440-5f5aa89b4faf

STIX ID: report--9b35a3b2-cfb1-59f0-9440-5f5aa89b4faf

Feed Name: OpenSourceMalware Blog

Threat Score
92/100

Date Published: 2026-04-12

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

OpenSourceMalware reports that the DPRK-linked PolinRider supply-chain campaign has markedly expanded (~1,951 compromised GitHub repos across ~1,047 owners) and operationally merged with the TasksJacker cluster; adversaries are abusing malicious npm packages, weaponized take-home templates (ShoeVista, StakingGame), fake .woff/.woff2 font files and .vscode/tasks.json launchers to deliver obfuscated JavaScript loaders which fetch second-stage payloads via blockchain dead-drops and delivery C2s on Vercel, ultimately deploying a cross-platform backdoor/infostealer (InvisibleFerret). The blog provides detailed pivots, newly observed C2 subdomains, IOCs, scanning/remediation commands, and recommends immediate repository and environment auditing, credential rotation, and submission of sightings to OSM.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.