Close Menu

    Subscribe to Updates

    Get the latest creative news from infofortech

    What's Hot

    Helping AI models to meet the real world | MIT News

    July 14, 2026

    AWS Security Hub expands coverage to Microsoft Azure and beefs up AI protections

    July 14, 2026

    Why Personalized Lead Data Analysis Beats Bulk Reporting Every Single Time

    July 14, 2026
    Facebook X (Twitter) Instagram
    InfoForTech
    • Home
    • Latest in Tech
    • Artificial Intelligence
    • Cybersecurity
    • Innovation
    Facebook X (Twitter) Instagram
    InfoForTech
    Home»Cybersecurity»North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
    Cybersecurity

    North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

    InfoForTechBy InfoForTechJuly 4, 2026No Comments4 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email


    The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider.

    “The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access,” Socket security researcher Karlo Zanki said in an analysis published this week.

    The 162 malicious release artifacts span multiple release versions corresponding to 108 unique packages and extensions, including 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension.

    Contagious Interview is the moniker assigned to a North Korea-aligned campaign that weaponizes job recruitment to target software developers and individuals working in the cryptocurrency sectors, using persuasive job interviews and assessments to trick them into executing malicious code.

    The activity is known to be active since at least 2023. Attackers masquerade as recruiters or collaborators on platforms like LinkedIn, GitHub, or freelance websites, often setting up elaborate front companies and AI-generated employee profiles to build trust and ultimately deliver malware.

    PolinRider was first flagged by the OpenSourceMalware team in March 2026, describing it as involving the threat actors implanting malicious obfuscated JavaScript payloads in hundreds of public GitHub repositories belonging to several unique owners to deliver a new variant of BeaverTail, a known JavaScript malware associated with Contagious Interview.

    As of April 11, 2026, the activity has compromised 1,951 public GitHub repositories associated with 1,047 unique owners, while also merging with another cluster called TaskJacker that drops malicious VS Code task files into GitHub users’ existing repositories. The VS Code tasks include the “runOn: ‘folderOpen'” option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor. 

    “The threat actor is not using stolen GitHub credentials,” OpenSourceMalware said. “Instead, the victims have been compromised via a malicious VS Code extension or npm package.” It’s believed that the attackers are taking over maintainer accounts, likely through expired domain takeover or another account recovery path, to pull off the scheme.

    Once executed, the malware searches the infected computer for certain files like “postcss.config.mjs,” “tailwind.config.js,” “eslint.config.mjs,” next.config.mjs,” babel.config.js,” and “app.js,” and, if found, appends malicious JavaScript code to them.

    It also makes use of a Windows batch script to stealthily modify the last commit, while making it appear as if they were made by the original author. It’s suspected that similar tools are being utilized to rewrite Git history for other operating systems like Linux and macOS.

    “The core tradecraft remains consistent across the campaign: threat actors plant obfuscated JavaScript loaders in legitimate repositories, conceal the code through whitespace padding or fake .woff2 font files, and trigger execution through developer tooling such as VS Code task files,” Socket said.

    In the latest wave, the payload functions as a JavaScript malware loader that reaches out to blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain services, to fetch an encrypted second-stage payload that unpacks to DEV#POPPER RAT and OmniStealer. This attack chain was detailed by eSentire in March 2026.

    “The threat actors use Git history rewriting, including force pushes and anti-dated commits to make malicious changes appear older and less suspicious,” Zanki said. “This makes the GitHub landing page and visible commit history unreliable indicators of compromise; defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files.”

    The development comes as JFrog uncovered a cluster of npm packages linked to Contagious Interview, some of which masqueraded as Rollup polyfill tools to enable remote access and data theft. Earlier this week, another set of npm packages and Go packages was identified as incorporating VS Code auto-run tasks to run JavaScript payloads disguised as fake font files, indicating tactical overlaps between Fake Font, TaskJacker, and PolinRider.

    Users who have installed these packages should treat the environment as compromised, rotate exposed secrets from a clean machine, remove affected versions and rebuild from a known good lockfile, and audit developer workstations and repositories for hidden execution paths or suspicious commits that have modified “.vscode/tasks.json,” “config.js,” “vite.config.js,” and “eslint.config.js” files.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    InfoForTech
    • Website

    Related Posts

    U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

    July 14, 2026

    CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

    July 13, 2026

    Rokarolla Android Malware, How to Protect Your Banking Apps

    July 13, 2026

    Europe Must Sell Intelligence, Not Electrons

    July 13, 2026

    Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

    July 12, 2026

    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    July 12, 2026
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

    March 20, 202638 Views

    Microsoft is bringing an AI helper to Xbox consoles

    March 14, 202618 Views

    Why Security Validation Is Becoming Agentic

    March 16, 202616 Views

    This is the tech that makes Volvo’s latest EV a major step forward

    January 24, 202616 Views
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Advertisement
    About Us
    About Us

    Our mission is to deliver clear, reliable, and up-to-date information about the technologies shaping the modern world. We focus on breaking down complex topics into easy-to-understand insights for professionals, enthusiasts, and everyday readers alike.

    We're accepting new partnerships right now.

    Facebook X (Twitter) YouTube
    Most Popular

    DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

    March 20, 202638 Views

    Microsoft is bringing an AI helper to Xbox consoles

    March 14, 202618 Views

    Why Security Validation Is Becoming Agentic

    March 16, 202616 Views
    Categories
    • Artificial Intelligence
    • Cybersecurity
    • Innovation
    • Latest in Tech
    © 2026 All Rights Reserved InfoForTech.
    • Home
    • About Us
    • Contact Us
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.