
PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.
Supply Chain Attack Campaign
PolinRider is a North Korea-linked supply chain campaign associated with the broader Contagious Interview / Famous Chollima developer-targeting activity cluster. Socket tracks the campaign across npm, Packagist, Go modules, and Chrome extensions. Threat actors compromise maintainer accounts and legitimate repositories to plant obfuscated JavaScript loaders, publish malicious release artifacts, and hide compromise traces through whitespace padding, fake .woff2 font files, VS Code task execution, and Git history rewriting. In observed loader variants, the malware retrieves encrypted second-stage payload material from blockchain and public RPC infrastructure, decrypts it with embedded XOR keys, and executes additional malware.
Ecosystems: actions, composer, chrome, npm

PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.