[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQ2xdWnvz16L_yPLo-OPUAk3DzKhk9rDU83bJ5j8jkEo":3},{"article":4,"iocs":57},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"ab1da9e3-d1dd-43ac-a925-8a63458820b2","PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems","polinrider-north-korea-linked-supply-chain-campaign-expands-across-open-source-e-fc7493","Socket Threat Research Team identified 162 malicious release artifacts across 108 packages and extensions in npm, Packagist, Go modules, and Chrome extensions, linking the activity to the broader North Korean Contagious Interview \u002F Famous Chollima developer-targeting campaign. PolinRider is a supply chain campaign linked to North Korean threat actors associated with the broader Contagious Interview \u002F Famous Chollima activity cluster. Our latest findings show that the campaign has expanded beyond npm into additional open source ecosystems, with 162 malicious release artifacts identified across 108 unique packages, including compromise traces in 80 Go modules, 10 Packagist packages, and one Chrome extension. The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access. The core tradecraft remains consistent across the campaign: threat actors plant obfuscated JavaScript loaders in legitimate repositories, conceal the code through whitespace padding or fake .woff2 font files, and trigger execution through developer tooling such as VS Code task files. The threat actors use Git history rewriting, including force pushes and anti-dated commits to make malicious changes appear older and less suspicious. This makes the GitHub landing page and visible commit history unreliable indicators of compromise; defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files. Once deobfuscated, the payload functions as a JavaScript malware loader that reaches out to blockchain and public RPC infrastructure, including TRON, Aptos, and BNB Smart Chain services, retrieves encrypted second-stage payload material, decrypts it with embedded XOR keys, and executes the result with eval(). Current observed payloads include DEV#POPPER and OmniStealer, but the loader-based design means the campaign should be treated as capable of delivering additional malware. Teams that installed affected package versions should treat the environment as compromised, preserve forensic artifacts, rebuild from known-good lockfiles, rotate exposed secrets from a clean machine, and audit developer workstations and repositories for hidden execution paths. PolinRider is ongoing, and Socket continues to identify fresh compromises, malicious package versions, and extensions tied to this campaign. Because the threat actors repeatedly compromise legitimate repositories and expand across ecosystems, additional affected artifacts are likely to surface. Socket is tracking the campaign on a live page, where affected packages, versions, and updates are added as they are confirmed: https:\u002F\u002Fsocket.dev\u002Fsupply-chain-attacks\u002Fpolinrider # PolinRider’s typical operating pattern involves compromising legitimate GitHub repositories and planting malicious commits containing obfuscated JavaScript loaders. In many cases, the malicious code is inserted as a one-line payload and hidden from immediate view by padding the line with whitespace, pushing the executable code beyond the default screen width. In some observed cases, the activity is consistent with GitHub maintainer-account takeover, potentially through expired domain takeover or another account recovery path. Once the threat actors control a maintainer account, they can modify multiple repositories and, where registry access is available, publish malicious package versions to downstream ecosystems. One recent example is the Xpos587 GitHub account. Several repositories maintained by this account were modified in the same narrow time window on June 23 at 10:00 UTC. This synchronized update pattern is unlikely to reflect normal maintainer activity and is consistent with account-level compromise followed by bulk repository modification. The Xpos587 repository list shows multiple unrelated projects updated in the same period, with aligned activity spikes across repositories. This pattern indicates coordinated account-level modification rather than ordinary per-project maintenance. Commit history alone may not reveal the compromise. In some affected repositories, the visible GitHub file view and latest commit metadata appear benign, with changes dated months earlier and commit messages that resemble routine maintenance. This makes the repository appear trustworthy unless reviewers inspect additional GitHub activity signals. The Xpos587\u002Fmarkfetch repository appears normal in the standard GitHub file view, with routine-looking commit messages and file timestamps dating back months. This view can obscure later evidence of malicious changes when repository history has been rewritten. Evidence of Git history rewriting appears in the repository’s GitHub Activity tab. In this case, the Activity view shows a recent force push that modified prior commit history. As a result, the main repository page gives the impression that nothing changed recently, while the Activity tab reveals that older-looking commits were altered after the fact to insert malicious payloads. GitHub Activity exposes the force push used to rewrite repository history. While the main file view suggests the repository had not changed for months, the Activity tab shows recent modification of older commits, consistent with backfilled malicious payload insertion. When threat actors gain both repository access and the ability to publish to a package registry, the compromise can extend beyond GitHub into downstream package ecosystems. In the Xpos587 case, malicious versions of affected Go modules were published after repositories under the account were modified. Socket flags a malicious Xpos587\u002Fgit2md Go module release under the Xpos587 account, showing how repository compromise can propagate into published package artifacts when registry access is available. We did not observe malicious releases from this maintainer’s PyPI account. This may indicate that the threat actors did not obtain the required PyPI publishing credentials, were blocked by PyPI security controls, or otherwise lacked the access needed to publish malicious Python package versions. PolinRider Expands to Packagist # Recent PolinRider activity shows the campaign expanding into Packagist, with several compromised packages identified under the sevenspan namespace, which is maintained by the 7span organization. Repository maintainers identified part of the compromise and removed fake .woff2 font files from affected GitHub repositories and packages. The 7span commit timeline shows anti-dated January 8 commits associated with malicious payload insertion, followed by a May 16 commit removing PolinRider from one affected repository. The cleanup did not remove all PolinRider payload variants. While the fake-font payloads were detected and removed, obfuscated JavaScript hidden in configuration files remained present in some affected repositories. This shows that remediation focused only on one payload-hiding method can miss other variants used by the same campaign. The GitHub diff shows obfuscated JavaScript appended inside vite.config.js alongside normal configuration code. Because Git history was rewritten, the malicious code appears to be part of an older legitimate commit rather than a recent compromise. We did not observe corresponding malicious npm releases from the same organization in this case. This suggests the threat actors may not have obtained the npm publishing secrets or registry access needed to push malicious versions to npm, even though related GitHub repositories were modified. Payload Hiding and Loader Execution # Across observed PolinRider variants, the malicious code typically functions as an obfuscated JavaScript loader after deobfuscation. In some cases, the loader reaches out to blockchain and public RPC infrastructure, including TRON, Aptos, and BNB Smart Chain services, retrieves encrypted second-stage payload material, decrypts it with embedded XOR keys, and executes the result with eval(). Observed follow-on payloads include DEV#POPPER and OmniStealer, which provide capabilities such as command execution, socket.io-client-based C2 communication, credential theft, browser-data theft, and wallet exfiltration. However, the loader-based design should be treated as capable of delivering additional malware as the campaign evolves. The Socket Threat Research Team has identified two primary payload-hiding methods associated with PolinRider. Earlier activity commonly hid obfuscated JavaScript inside configuration files, including *config.js files. More recent variants hide the loader inside fake .woff2 font files and trigger execution through VS Code task files. The .vscode\u002Ftasks.json file defines a hidden task that runs on folder open and executes a fake .woff2 font file with Node.js. This turns a file that appears to be a static font asset into an execution path for the obfuscated JavaScript loader. Both methods appear across compromised repositories linked to the previously discussed Xpos587 GitHub account. The Xpos587\u002Fmarkfetch repository used the fake-font variant, while the Artiffusion-Inc\u002Fmirofish repository contained a payload hidden in vite.config.js, inserted by the same Xpos587 user. The reason the threat actors choose one hiding method over another in specific repositories remains unclear. Defensive Guidance # Teams that installed any affected package or extension version should treat the installing environment as potentially compromised until reviewed. Because PolinRider targets developer environments and may expose package registry, source code, cloud, and CI\u002FCD credentials, remediation should be performed from a clean machine, not from the potentially infected host. Recommended response: Preserve forensic artifacts before cleanup where possible. Identify every developer machine that installed affected package versions. Remove affected versions and rebuild from a known-good lockfile. Rotate npm, GitHub, PyPI, RubyGems, cloud, Vault, Kubernetes, Docker, SSH, Slack, Twilio, and CI\u002FCD secrets exposed to affected environments from a clean machine, not from the potentially infected host. Audit developer machines for VS Code tasks having \"runOn\": \"folderOpen\" run option configured. Search for commands that execute files with untypical extensions - like commands executing _.woff2 files with node. Audit GitHub repositories for suspicious commits modifying .vscode\u002Ftasks.json, config.js, vite.config.js, eslint.config.js, or files under font\u002Fstatic asset directories. Review GitHub Activity logs, not only visible commit history, because PolinRider activity has included force pushes and rewritten history that can make malicious changes appear older or less suspicious. Review package registry publication history for unexpected releases following repository modification, especially where maintainers had access to multiple ecosystems. # Latest Wave: Accounts, Namespaces, and Repositories Xpos587 — GitHub account Xpos587\u002Fgit2md Xpos587\u002Fmarkfetch Artiffusion-Inc\u002Fmirofish sevenspan — Packagist namespace 7span — GitHub organization 7span\u002Freact-list PolinRider Affected Packages We are tracking the full campaign on a dedicated page, with all affected artifacts added as they are identified: https:\u002F\u002Fsocket.dev\u002Fsupply-chain-attacks\u002Fpolinrider Unknown block type \"supplyChainAttackPackages\", specify a component for it in the `components.types` option","The PolinRider supply chain campaign, linked to North Korean threat actors, has expanded its reach across multiple open source ecosystems including npm, Packagist, Go modules, and Chrome extensions. Threat actors are compromising maintainer accounts, rewriting Git history, and hiding malicious JavaScript loaders within legitimate repositories, often disguised as font files or within configuration files. The campaign has been observed delivering payloads like DEV#POPPER and OmniStealer, with the potential to distribute additional malware.","North Korean threat actors expand PolinRider supply chain campaign across npm, Packagist, Go, and Chrome extensions.","Security NewsRisky Biz Podcast: AI Agents Are Raising the Stakes for Software Supply Chain SecurityOpen source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.By Sarah Gooding - Jun 30, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fpolinrider-north-korea-linked-supply-chain-campaign-expands?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Faebe4e289f589f266b593b5d103399e84d42843a-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-07-01T17:53:56.469+00:00","2026-07-01T22:00:17.400986+00:00",9,[18,21,24,27,29,32],{"name":19,"type":20},"Contagious Interview \u002F Famous Chollima","threat_actor",{"name":22,"type":23},"PolinRider","campaign",{"name":25,"type":26},"DEV#POPPER","product",{"name":28,"type":26},"OmniStealer",{"name":30,"type":31},"npm","technology",{"name":33,"type":31},"Packagist","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":34,"icon":36,"name":37,"slug":38},null,"Supply Chain","supply-chain",[40,42,47,52],{"category":41},{"id":34,"icon":36,"name":37,"slug":38},{"category":43},{"id":44,"icon":36,"name":45,"slug":46},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":48},{"id":49,"icon":36,"name":50,"slug":51},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":53},{"id":54,"icon":36,"name":55,"slug":56},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[58],{"type":59,"value":60,"context":61},"url","https:\u002F\u002Fsocket.dev\u002Fsupply-chain-attacks\u002Fpolinrider","Tracking page for the PolinRider campaign"]