PolinRider Supply Chain Attack Spans npm, Go, Chrome

PolinRider North Korea supply chain attack targeting npm, Go modules, and Chrome extensions

PolinRider is no longer a story about a handful of malicious npm packages. Researchers at Socket uncovered 162 malicious release artifacts spread across 108 packages and browser extensions. The campaign now reaches multiple open-source ecosystems, including npm, Packagist, Go modules, and Chrome extensions. Security analysts attribute the activity to the North Korean threat cluster known as Contagious Interview, also tracked as Famous Chollima.

Why Developers Are the Target

The campaign’s core target has not changed. Attackers focus on developers deliberately. A programmer’s workstation typically holds access to repositories, package registries, cloud platforms, CI/CD pipelines, and internal services.

One infected package can unlock far more than a single laptop. It can open a path into the entire supply chain through which code reaches downstream users.

Scale: Beyond npm

According to Socket, PolinRider has expanded well beyond npm. The campaign now affects 80 Go modules, 10 Packagist packages, and at least one Chrome extension.

Researchers expect new infected packages to appear soon. Attackers continue compromising maintainer accounts and modifying legitimate repositories. They publish tainted versions wherever they gain registry access.

How the Attack Works: Obfuscated Loaders and Fake Fonts

The attack technique centers on a single core method. Attackers inject an obfuscated JavaScript loader into otherwise normal projects. They hide the malicious code in ways that resist casual inspection.

Older PolinRider variants typically concealed the loader inside configuration files such as config.js and vite.config.js. Newer cases hide it inside fake .woff2 files designed to resemble ordinary web fonts.

Execution Hidden Inside VS Code Tasks

Attackers also disguise execution as routine developer tooling. In one variant, the file .vscode/tasks.json contains a hidden task. That task activates automatically when a developer opens the folder in VS Code. It then launches the fake font file through Node.js.

A developer who opens the project can trigger the entire malicious chain. No separate installation is required.

Rewritten Git History

Socket also documents cases where attackers rewrote Git history. Force pushes and backdated commits made malicious changes appear as old and harmless edits. As a result, a standard GitHub page can look completely clean. Evidence of the compromise hides in activity logs, release metadata, and suspicious configuration changes.

The Xpos587 Incident

One notable example involves the account Xpos587. Attackers modified several repositories under that account within a narrow window on June 23 at 10:00 UTC. Socket considers that synchronized burst of activity atypical for legitimate maintainer work.

The firm links the pattern to account compromise. Following those repository changes, malicious versions of affected Go modules entered the package ecosystem.

Packagist and the 7span Namespace

A separate branch of the campaign targeted the Packagist namespace sevenspan, connected to the GitHub organization 7span. Maintainers discovered part of the infection and removed the fake .woff2 files. However, the cleanup was incomplete.

Some repositories still contained obfuscated JavaScript hidden inside configuration files. That outcome illustrates the risk of partial remediation, where a team removes one method of concealment but overlooks another.

Blockchain-Based C2 and Known Payloads

After unpacking, the PolinRider loader contacts blockchain infrastructure and public RPC services, including TRON, Aptos, and BNB Smart Chain. It retrieves an encrypted second-stage payload, decrypts it using hardcoded XOR keys, and executes the result through eval().

Known payloads include DEV#POPPER and OmniStealer. These tools can steal credentials, browser data, and crypto wallets. They can also execute remote commands. Furthermore, the loader architecture allows attackers to swap payloads in future campaigns without changing the delivery mechanism.

What Affected Teams Should Do

Teams that installed affected package versions or extensions should treat their environment as potentially compromised until verified. Developers should specifically look for VS Code tasks that run on folder open. Also look for commands executing files with unusual extensions. Check for unexpected edits to .vscode/tasks.json, vite.config.js, eslint.config.js, and static asset directories.

In addition, rotate all secrets for npm, GitHub, PyPI, RubyGems, cloud, CI/CD, SSH, Kubernetes, Docker, and Vault. Perform that rotation from a clean machine. Never rotate credentials on a host that may have run the infected package.

The Broader Warning

PolinRider is dangerous not merely because of the volume of artifacts discovered. Rather, the campaign exposes how fragile trust has become in the open-source supply chain. A developer sees a familiar repository, a clean commit history, and recognizable configuration files. Yet behind that familiar facade may lurk a loader that activates the instant the project is opened.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply