PolinRider DPRK Attack Expands Across GitHub
ID: 9b35a3b2-cfb1-59f0-9440-5f5aa89b4faf
STIX ID: report--9b35a3b2-cfb1-59f0-9440-5f5aa89b4faf
Feed Name: OpenSourceMalware Blog
Date Published: 2026-04-12
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
OpenSourceMalware reports that the DPRK-linked PolinRider supply-chain campaign has markedly expanded (~1,951 compromised GitHub repos across ~1,047 owners) and operationally merged with the TasksJacker cluster; adversaries are abusing malicious npm packages, weaponized take-home templates (ShoeVista, StakingGame), fake .woff/.woff2 font files and .vscode/tasks.json launchers to deliver obfuscated JavaScript loaders which fetch second-stage payloads via blockchain dead-drops and delivery C2s on Vercel, ultimately deploying a cross-platform backdoor/infostealer (InvisibleFerret). The blog provides detailed pivots, newly observed C2 subdomains, IOCs, scanning/remediation commands, and recommends immediate repository and environment auditing, credential rotation, and submission of sightings to OSM.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
