The Invisible Patch: How PolinRider Rewrites Git History to Hide North Korean Malware

Security researchers from the OpenSourceMalware (OSM) team have uncovered a massive and rapidly expanding threat campaign targeting the heart of the developer ecosystem. The actor, dubbed PolinRider, is implanting malicious code into hundreds of public GitHub repositories by leveraging a sophisticated “history-falsification” technique that makes the compromise nearly invisible to casual observers.

As of April 11, 2026, the campaign has seen a dramatic 2.9x increase in scope over just five weeks, with 1,951 public GitHub repositories belonging to 1,047 unique owners now confirmed as compromised.

The attack does not rely on stolen credentials. Instead, the initial infection vector appears to be a compromised npm package or a malicious VS Code extension. Once a developer’s system is breached, the malware searches for common configuration files—such as tailwind.config.js, next.config.mjs, or postcss.config.mjs—and appends heavily obfuscated JavaScript to the end of them.

The OSM team notes the stealthy nature of this injection, stating: “The JavaScript payload is appended to the end of real project config files – silently, after the file’s legitimate content making it easy to miss during casual code review”.

What sets PolinRider apart is its use of a specialized Windows batch file named temp_auto_push.bat to cover its tracks. This script is designed to rewrite the most recent git commit so that the addition of the malicious payload appears as if it were part of the original, legitimate work.

The script operates in a series of calculated phases:

• Metadata Extraction: It captures the original commit’s author, email, timestamp, and message.
• System Clock Manipulation: It temporarily changes the Windows system clock to match the exact time of the last legitimate commit.
• Amending and Forcing: It amends the commit with the malicious changes and then force-pushes it back to GitHub.

As the report explains, “Because the system clock was rewound, git records the amended commit with the original timestamp, making it appear unmodified in history”. In plain terms, “To any observer looking at git history, it looks like the commit was never amended”.

The OSM team has attributed the campaign with high confidence to the DPRK (North Korea), identifying PolinRider as a contributor to the Lazarus group with ties to the “Contagious Interview” and “TasksJacker” operations.

A key part of the actor’s playbook involves “weaponized take-home templates”—fake coding assessments used in fraudulent job interviews to compromise developers. Two such projects, ShoeVista and StakingGame, have already successfully compromised at least 88 developers.

The investigation also found that PolinRider and TasksJacker have “operationally merged,” with the same actor now deploying multiple infection vectors against the same victims. In one instance, a single repository was found to contain markers from two different obfuscation variants, indicating that the actor is actively re-infecting earlier victims with updated tools to evade detection.

With the campaign’s infrastructure expanding across Vercel-hosted C2 subdomains and its techniques evolving to hide inside font files, the OSM team urges developers to be extremely cautious when participating in “take-home” tests or installing unverified extensions.