[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fClfqJ-7RX9AqVFNhlIuC_YN-18Icu7f1Kr5MLvgEYkY":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":22,"created_at":23,"published_at":24,"article":25,"tags":29,"podcasts":48},"463bf18a-0a8a-4eb7-8efb-335a128b26f8","north-korean-actors-poison-open-source-ecosystems-via-compromised-maintainer-accounts","ab1da9e3-d1dd-43ac-a925-8a63458820b2","North Korean Actors Poison Open Source Ecosystems via Compromised Maintainer Accounts","The PolinRider campaign demonstrates how sophisticated threat actors can weaponize trusted open source ecosystems by compromising maintainer accounts and rewriting Git history to inject malicious code into legitimate repositories. Because developers inherently trust packages from established maintainers, malicious payloads hidden as font files or configuration entries can propagate widely before detection. The delivery of stealers and remote-access malware like OmniStealer and DEV#POPPER means downstream consumers of infected packages risk full credential and data compromise. This campaign highlights that supply chain integrity is now a frontline security concern, not just a peripheral risk. Organizations that blindly consume open source dependencies without integrity checks are effectively outsourcing their attack surface to threat actors.","**Immediate actions:**\n- Audit all third-party open source dependencies for unexpected changes to Git history, new binary blobs, or unusual configuration file modifications.\n- Enable multi-factor authentication (MFA) on all package registry maintainer accounts (npm, Packagist, etc.) to prevent account takeover.\n- Pin dependencies to verified, cryptographically signed commit hashes rather than mutable version tags.\n\n**Long-term improvements:**\n- Integrate Software Composition Analysis (SCA) tools into CI\u002FCD pipelines to automatically flag newly introduced or modified dependencies before build.\n- Establish an internal package mirror or proxy (e.g., Artifactory, Nexus) that enforces an approval workflow before new or updated packages are consumed by developers.\n- Implement a formal third-party dependency risk management policy that includes periodic review of maintainer account health and package ownership changes.\n\n**Detection measures:**\n- Deploy runtime application self-protection (RASP) or endpoint detection to alert on unexpected JavaScript loader execution or outbound connections originating from build or runtime processes.\n- Subscribe to threat intelligence feeds and security advisories specific to the open source ecosystems your organization uses (npm advisories, OSV, GitHub Security Advisories).\n- Monitor CI\u002FCD pipeline logs for anomalous network calls, unexpected file writes, or execution of obfuscated scripts during dependency installation.",[12,13,14,15,16,17,18,19,20,21],"CIS Control 2: Inventory and Control of Software Assets","CIS Control 16: Application Software Security","NIST SP 800-161r1: Cybersecurity Supply Chain Risk Management","NIST SP 800-218 (SSDF): Supply Chain and Third-Party Software Security","NIST CSF ID.SC-4: Supplier risk management","SLSA Framework Level 2-3: Source and Build Integrity","NIST AC-2: Account Management (MFA enforcement)","ISO\u002FIEC 27036: Information Security for Supplier Relationships","OWASP Top 10 A06:2021 – Vulnerable and Outdated Components","GDPR Article 32: Security of Processing (data protection obligations for affected EU user data)","published","2026-07-01T22:21:46.131141+00:00","2026-07-01T22:21:45.831+00:00",{"id":7,"url":26,"slug":27,"title":28},"https:\u002F\u002Fsocket.dev\u002Fblog\u002Fpolinrider-north-korea-linked-supply-chain-campaign-expands?utm_medium=feed","polinrider-north-korea-linked-supply-chain-campaign-expands-across-open-source-e-fc7493","PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems",[30,36,42],{"id":31,"name":32,"slug":33,"description":34,"color":35},"05757c8d-6b93-4194-b35d-7359e7d33b0e","Vulnerability Management","vulnerability-management","Missing scans, no risk prioritization","#fb923c",{"id":37,"name":38,"slug":39,"description":40,"color":41},"1ec88fde-2d0f-4ed8-932a-33f5ccc0fdc7","Access Control","access-control","Excessive privileges, missing MFA, weak auth","#f97316",{"id":43,"name":44,"slug":45,"description":46,"color":47},"f0c2a0af-58aa-4128-87c9-6acd30f2dc48","Supply Chain","supply-chain","Third-party risk, compromised dependencies","#8b5cf6",[]]