North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
ID: fa44e92f-6e78-59d0-9db4-1e66cd15aa85
STIX ID: report--fa44e92f-6e78-59d0-9db4-1e66cd15aa85
Feed Name: The Hacker News
**PolinRider / Contagious Interview:** A North Korea-linked active campaign has been infecting open-source ecosystems and developer tooling by publishing malicious npm, Composer, Go, and Chrome extension packages and injecting obfuscated JavaScript into public GitHub repositories and VS Code tasks; the loaders fetch encrypted second-stage payloads (DEV#POPPER RAT, OmniStealer) via blockchain infrastructure. The activity leverages maintainer account takeover or compromised packages, Git history rewriting to hide changes, and VS Code auto-run tasks to trigger execution, affecting many repositories and posing supply-chain and credential-exfiltration risks.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
