N.Korea-linked PolinRider campaign spread malware via open-source software

 

N.Korea-linked PolinRider campaign spread malware via open-source software

Researchers at Socket have uncovered a new campaign linked to North Korean hackers that targets software developers through malicious open-source packages and browser extensions.

The campaign, known as ‘PolinRider,’ has published 108 fake packages and extensions across popular platforms including npm, Packagist, Go, and Google Chrome. In total, researchers found 162 malicious releases designed to infect developers' computers.

The activity is linked to the Contagious Interview (aka Famous Chollima) campaign, in which attackers pose as recruiters on sites like LinkedIn, GitHub, and freelance platforms. Victims are tricked into completing fake job interviews or coding tests that secretly install malware. The campaign has been active since at least 2023.

The attackers have also compromised nearly 2,000 public GitHub repositories by hiding malicious code inside legitimate projects. Some attacks use malicious VS Code task files that automatically run when a developer opens a project, allowing the malware to infect important JavaScript files.

The malware contacts blockchain services to download encrypted payloads, which are then decrypted and executed on the victim's computer. Current payloads include DEV#POPPER and OmniStealer, but researchers warn the attackers can easily deliver other types of malware using the same method.

“Teams that installed affected package versions should treat the environment as compromised, preserve forensic artifacts, rebuild from known-good lockfiles, rotate exposed secrets from a clean machine, and audit developer workstations and repositories for hidden execution paths,” the researchers advised.

Back to the list