Sign In

Supply Chain Attack Campaign

Ongoing

PolinRider

PolinRider is a North Korea-linked supply chain campaign associated with the broader Contagious Interview / Famous Chollima developer-targeting activity cluster. Socket tracks the campaign across npm, Packagist, Go modules, and Chrome extensions. Threat actors compromise maintainer accounts and legitimate repositories to plant obfuscated JavaScript loaders, publish malicious release artifacts, and hide compromise traces through whitespace padding, fake .woff2 font files, VS Code task execution, and Git history rewriting. In observed loader variants, the malware retrieves encrypted second-stage payload material from blockchain and public RPC infrastructure, decrypts it with embedded XOR keys, and executes additional malware.

Ecosystems: actions, composer, chrome, npm

First discovered
2025-12-07
Last activity
2026-06-30
Affected Package Artifacts
162
(108 unique packages)
Package Artifacts Last 7 Days
89
100%
vs previous 7 days

Blog Coverage

Affected packages

Package
Published
Detected
Download CSV

Socket for GitHub

Socket Firewall

Socket CLI

Socket Certified Patches

Socket Web Extension

Socket Optimize

Socket Dependency Search

Socket Reachability

Languages

JavaScript / TypeScript

Stay in touch

Get open source security insights delivered straight into your inbox.

Book a DemoSign In

Made with ⚡️ by Socket Inc

U.S. Patent No. 12,346,443 & 12,314,394. Other pending.

SOC 2 Type II certified