At a Glance
| Actor / group | Suspected North Korean actors in the Contagious Interview / Famous Chollima cluster (Socket assessment) |
|---|---|
| Activity type | Open-source supply chain campaign; hidden JavaScript loaders in packages and repositories |
| Targets / victims | Developers and their environments across npm, Packagist, Go modules, and Chrome |
| Scale | 162 malicious release artifacts across 108 unique packages and extensions; campaign ongoing |
| Law-enforcement status | No arrests or charges announced; vendor research disclosure |
| Source | Socket Threat Research Team |
TL;DR
Socket’s Threat Research Team says the PolinRider supply chain attack has grown well beyond npm. Researchers counted 162 malicious release artifacts across 108 packages and extensions in npm, Packagist, Go modules, and Chrome. Socket links the operation to North Korean hackers tied to the Contagious Interview cluster.
What Happened
PolinRider plants hidden JavaScript loaders inside trusted repositories. The actors conceal the code two ways. Older builds bury it in configuration files such as vite.config.js. Newer builds disguise it as a fake .woff2 font, then run it through a Visual Studio Code task on folder open. They also rewrite Git history with force pushes and back-dated commits. As Socket’s Karlo Zanki puts it, “the campaign remains active, and new malicious packages are likely to continue appearing.”
That trick makes a repository look untouched for months. So the GitHub file view and commit list become unreliable. Defenders should instead check the Activity tab, release metadata, and VS Code task files. In one case, a compromised maintainer account named Xpos587 saw several unrelated repositories change within the same narrow window.
Expansion to Packagist
The campaign recently reached Packagist through compromised packages in the sevenspan namespace. Maintainers there removed fake font payloads, yet obfuscated JavaScript stayed hidden in some config files. So partial cleanup left the door open. That gap shows why teams must hunt every payload variant, not just one.
Who Is Behind It
Socket links PolinRider to North Korean hackers tied to Contagious Interview and Famous Chollima. SC Media notes analysts treat Famous Chollima as a subset of the Lazarus group. Separately, the OpenSourceMalware team has tracked the broader effort across roughly 1,900 GitHub repositories. Still, this remains a research assessment, not a proven case. No one has been charged, and authorities have announced no arrests. The attribution rests on shared tradecraft and target patterns, so treat it as suspected rather than confirmed.
Impact and Scale
The PolinRider supply chain attack targets developer machines, not just end users. A single bad install can expose source code, registry tokens, cloud keys, and crypto wallets. The 162 artifacts span dozens of Go modules, ten Packagist packages, one Chrome extension, and several npm libraries. Once active, the loader contacts public blockchain and RPC services, then fetches an encrypted second stage. Observed follow-on malware includes DEV#POPPER and OmniStealer, which steal credentials and wallet data. Joshua Miller of BeyondTrust warned that “one compromised maintainer reaches everyone downstream who trusts that package.”
What Comes Next and How to Stay Protected
Expect more packages, because Socket calls the campaign ongoing. Teams that installed affected versions should treat the environment as compromised. Rebuild from a known-good lockfile, and rotate exposed secrets from a clean machine. Also audit developer workstations and repositories for hidden execution paths. Then inspect .vscode/tasks.json and config files for odd changes, and require MFA on GitHub and registries. This PolinRider supply chain attack thrives on stale accounts, so review whether expired domains can still recover maintainer logins.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.