North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
What happened
North Korea-linked threat actors tied to the Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist, Go, and Google Chrome as part of an ongoing activity cluster called PolinRider. Socket researchers said the campaign remains active and includes 162 malicious release artifacts across 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension.
The campaign targets software developers and people working in cryptocurrency by using fake job recruitment, developer assessments, and collaboration lures to trick victims into running malicious code. PolinRider was first flagged in March 2026 after attackers were found planting obfuscated JavaScript payloads into public GitHub repositories to deliver a BeaverTail variant, a JavaScript malware family already associated with Contagious Interview.
The activity has also affected GitHub at scale. As of April 11, 2026, researchers said the campaign had compromised 1,951 public GitHub repositories tied to 1,047 unique owners. The attackers are believed to compromise developer environments through malicious VS Code extensions or npm packages, then modify existing repositories, inject hidden JavaScript loaders, and rewrite Git history so the changes appear older or less suspicious.
The latest wave uses JavaScript loaders that contact blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain services, to retrieve encrypted second-stage payloads. Those payloads unpack to DEV#POPPER RAT and OmniStealer, giving attackers remote access and data-theft capabilities. Socket said defenders should not rely only on visible GitHub commit history and should instead review package metadata, repository activity logs, VS Code task files, and suspicious changes to configuration files.
Who is affected
Software developers are directly affected, especially those who install open-source packages, use VS Code or Cursor, or participate in job assessments and freelance development tasks involving unfamiliar repositories.
Cryptocurrency companies, Web3 projects, and developers working with crypto infrastructure are also affected because the broader Contagious Interview campaign has repeatedly targeted people in the cryptocurrency sector.
Organizations may be exposed if employees install malicious packages or extensions on workstations that contain source code, credentials, secrets, wallet infrastructure access, cloud tokens, or internal repositories.
Why CISOs should care
This campaign shows how developer workstations and open-source ecosystems are becoming direct entry points for North Korean intrusion activity. The attackers are not only publishing malicious packages but also modifying legitimate repositories and using developer tooling to trigger execution.
The VS Code and Cursor angle is especially important. Malicious task files can run automatically when a folder is opened as a workspace, turning a routine developer action into code execution.
Git history rewriting also creates a practical detection problem. If attackers can force-push or anti-date commits, the visible repository timeline may not show the true moment of compromise.
For CISOs, the bigger issue is software supply chain trust. A compromised developer machine or repository can expose secrets, infect downstream users, and turn normal package installation workflows into a malware delivery channel.
3 practical actions
Treat affected developer environments as compromised: Users who installed suspicious packages or extensions should rotate exposed secrets from a clean machine, remove affected versions, rebuild from known-good lockfiles, and review local repositories for hidden execution paths.
Audit developer tooling and repository changes: Security teams should inspect VS Code task configurations, configuration files, package release metadata, repository activity logs, and suspicious commits that modify build or development files.
Reduce open-source package risk in development workflows: CISOs should require package allowlisting, dependency review, lockfile enforcement, secret scanning, and stronger controls around job-assessment repositories or freelance collaboration code.
Recent cyber incidents in the news:


