Skip to content
AI Security Wire

Published

- 4 min read

By

PolinRider: North Korea's 108-Package Campaign Targets Developers

img of PolinRider: North Korea's 108-Package Campaign Targets Developers

Socket’s threat research team published findings on July 1, 2026 identifying a North Korean supply chain campaign they named PolinRider: 162 malicious artifacts placed across 108 packages and extensions spanning npm, Go modules, Packagist, and the Chrome Web Store. The campaign is linked to Contagious Interview, the activity cluster attributed to North Korean state actors and associated with Famous Chollima.

What separates PolinRider from most supply chain attacks is the delivery mechanism. Rather than typosquatting, the operators compromised legitimate maintainer accounts and pushed malicious updates through distribution channels developers already trust.

Scale and Affected Ecosystems

The 108 affected packages break down across ecosystems: 19 npm libraries, 10 Packagist/Composer packages, 61 Go modules, and one Chrome extension. The Go module count stands out. Most North Korean supply chain operations observed through 2025 concentrated on npm and PyPI. The shift to Go modules, where the trust model depends heavily on repository URL integrity rather than a centralised registry’s security reviews, reflects a deliberate expansion into developer environments where detection tooling is less mature.

Confirmed compromised packages include repositories under the Xpos587 GitHub account (git2md, markfetch), the 7span Packagist namespace (react-list), and Artiffusion-Inc/mirofish, an AI image generation tool. Multiple unrelated repositories under compromised accounts were modified in synchronised windows, with the Xpos587 account showing changes across repositories at exactly 10:00 UTC on June 23, 2026.

Account Compromise Over Typosquatting

PolinRider’s operators targeted existing maintainer accounts rather than registering lookalike packages. This distinction matters operationally. Typosquatted packages start with zero download history and need to compete for attention. Compromised packages inherit the original package’s users, stars, and trust signals. Security tooling that filters on reputation or download count will treat a compromised legitimate package as benign.

The compromise method follows the established Contagious Interview playbook: attackers approach maintainers via LinkedIn or freelance platforms presenting as collaborators, run them through a fake hiring or project assessment process, and use that engagement to deliver initial access tooling. Once they have the maintainer’s credentials, they push malicious package updates.

Payload Mechanics: Obfuscation and Blockchain C2

The malicious code uses layered obfuscation to avoid automated scanning. Techniques observed include whitespace padding that hides executable code past the visible screen width, malicious payloads embedded in fake .woff2 font files, and modified configuration files (vite.config.js, eslint.config.js) that contain obfuscated loaders.

For developers using VS Code, PolinRider also plants task files configured with "runOn": "folderOpen". Any developer who opens a compromised project folder triggers the loader silently, without executing any explicit command.

The loader reaches out not to traditional attacker-controlled servers but to public RPC endpoints on the TRON, Aptos, and BNB Smart Chain blockchain networks. These endpoints return encrypted second-stage payloads. The loader decrypts them using XOR keys embedded in the initial payload and executes via eval().

Using public blockchain RPC infrastructure for C2 bypasses a standard class of detection: connection-based blocking. These RPC endpoints are legitimate services used by web3 applications across the internet and are whitelisted in most enterprise network policies.

Observed Malware: DEV#POPPER and OmniStealer

Two malware families have been identified in PolinRider deployments. DEV#POPPER is a backdoor using socket.io for its command channel, providing persistent remote access and command execution. OmniStealer handles credential exfiltration: browser-stored credentials, session cookies, saved passwords, and cryptocurrency wallet data.

The targeting profile matches the group’s known financial motivation. AI tool developers are specifically in scope: the Artiffusion compromise indicates the group is not limiting itself to traditional fintech targets.

Socket researchers also identified overlap with TaskJacker, a separate cluster that modifies VS Code task files in existing GitHub repositories. The merging of PolinRider and TaskJacker activity suggests coordination or infrastructure sharing between North Korean operations running in parallel. As of early July 2026, the campaign remains active.

What Developers Should Do

Developers using Go modules should audit dependencies for packages in the affected namespaces and review repository commit history for unexpected force pushes or antedated commits. Anyone who opened a project folder containing a compromised tasks.json in VS Code should treat that machine as potentially compromised.

For package consumers: npm audit, go mod verify, and Packagist integrity checking will not catch account-compromise attacks on legitimate packages. Dependency monitoring tools that compare package content against historical baselines, rather than just checking for known-bad hashes, are better positioned to catch this class of attack.

Organisations that allow developers to install Go modules or npm packages from public registries without review should evaluate whether supply chain monitoring tools with behavioural analysis are warranted. The attack surface for developer toolchain compromise has expanded across four ecosystems simultaneously.

References

Frequently Asked Questions

How is PolinRider different from the Sapphire Sleet Mastra attack in June 2026?
Both are North Korean supply chain operations targeting developers, but they differ in method and scope. The Sapphire Sleet/Mastra attack (June 2026) focused on a single npm scope via one compromised contributor account, deploying malware across 144 packages in 88 minutes. PolinRider is broader: 108 packages across four ecosystems (npm, Go, Packagist, Chrome), using multiple compromised maintainer accounts over an extended period from February through July 2026, and deploying DEV#POPPER and OmniStealer via blockchain-based second-stage delivery.
What makes the blockchain C2 technique significant for defenders?
Traditional C2 detection relies on flagging connections to known-bad IP addresses or domains. PolinRider's loaders instead query legitimate public blockchain RPC endpoints (TRON, Aptos, BNB Smart Chain) to retrieve encrypted second-stage payloads stored on-chain. These RPCs are whitelisted in most enterprise environments and pass reputation checks. Defenders cannot simply block the C2 channel without disrupting access to services that use those same networks legitimately.
Which developer environments are most at risk from PolinRider-style attacks?
Any developer using VS Code who opens cloned repositories from GitHub is at risk if the repository contains a malicious task file with 'runOn': 'folderOpen'. Go module developers are disproportionately affected given the 61 compromised Go packages. AI tool developers are specifically targeted: Artiffusion-Inc's mirofish (an AI image generation tool) was one of the confirmed compromised projects. Developers working in polyglot environments that pull dependencies from npm, Go modules, and Packagist simultaneously face exposure across all three vectors.