North Korean Hackers Target Open Source Developers in Supply Chain Attacks
North Korean hackers are targeting open source developers with malware via compromised packages.
Summary
North Korean threat actors are conducting the PolinRider campaign, compromising over 100 open source packages and repositories across NPM, Packagist, Go modules, and Chrome extensions since December 2025. The attackers inject JavaScript loaders to deliver the DEV#POPPER RAT and OmniStealer information stealer, targeting developer environments and potentially exposing sensitive credentials. They tamper with maintainer accounts and rewrite Git history to conceal their malicious activities.
Full text
North Korean hackers are targeting open source software developers with a backdoor and an information stealer as part of a broad supply chain campaign, Socket reports. Referred to as PolinRider, the campaign has been ongoing since December 2025, using compromised GitHub repositories injected with JavaScript loaders leading to the DEV#POPPER remote access trojan (RAT) and the OmniStealer information stealer. Associated with the broader Contagious Interview operation, which includes tactics also seen in the DeceptiveDevelopment, Operation Dream Job, and ClickFake Interview campaigns, PolinRider is targeting developers across NPM, Packagist, Go modules, and Chrome extensions. To date, Socket has identified 162 malicious release artifacts across 108 unique packages, with more expected to emerge as the campaign continues. As part of the attacks, the threat actor compromises maintainer accounts to tamper with legitimate repositories and push infected packages. Additionally, the attackers rely on Git history rewriting to make the malicious changes appear older. The compromised repositories contain obfuscated JavaScript loaders that connect to the blockchain and public remote procedure call (RPC) infrastructure to retrieve encrypted payloads.Advertisement. Scroll to continue reading. Among the incidents associated with PolinRider, Socket identified the compromise of Xpos587, a GitHub account that maintains several repositories that were modified on June 23 during a small timeframe. Recently, the campaign expanded to Packagist, where multiple packages under the sevenspan namespace were compromised. The attackers hid the malicious loaders in configuration files that were not identified during the cleanup operation. “Teams that installed any affected package or extension version should treat the installation environment as potentially compromised until reviewed. Because PolinRider targets developer environments and may expose package registry, source code, cloud, and CI/CD credentials, remediation should be performed from a clean machine, not from the potentially infected host,” Socket notes. Related: North Korean Hackers Blamed for Mastra NPM Supply Chain Attack Related: North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks Related: $290 Million Kelp DAO Crypto Heist Blamed on North Korea Related: North Korean Hackers Target High-Profile Node.js Maintainers Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire New CitrixBleed Vulnerability Exploited Immediately After Public DisclosureFortiBleed Campaign Linked to INC, Lynx Ransomware AttacksCisco Confirms In-the-Wild Exploitation of Unified CM Vulnerability‘BioShocking’ Attack Tricks AI Browsers Into Stealing CredentialsCISA Warns of Actively Exploited Microsoft SharePoint VulnerabilityMicrosoft Adds New Teams Controls to Block Unauthorized AI Bots From MeetingsAdobe Patches Critical ColdFusion, Campaign Classic VulnerabilitiesCitrix Patches NetScaler Vulnerabilities, Including New ‘HTTP/2 Bomb’ Attack Latest News Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsIn Other News: Canadian Hacker Jailed, Open Source Zero-Days, Two Sentenced for ATM JackpottingAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million PeopleAlleged Scattered Spider Hacker Extradited to USGoogle, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of DevicesCritical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- malware — DEV#POPPER
- malware — OmniStealer