North Korean cybercriminals have launched a sophisticated campaign targeting open source software developers. The initiative, identified by cybersecurity firm Socket, involves using a backdoor and an information-stealing mechanism to infiltrate software supply chains.
Details of the PolinRider Campaign
Operating under the name PolinRider, this campaign has been active since December 2025. Hackers have been injecting compromised GitHub repositories with JavaScript loaders, leading unsuspecting users to the DEV#POPPER remote access trojan (RAT) and the OmniStealer information stealer.
PolinRider is part of the larger Contagious Interview operation, which shares tactics with campaigns like DeceptiveDevelopment and Operation Dream Job. The primary targets are developers using platforms such as NPM, Packagist, Go modules, and Chrome extensions.
Scope and Impact of the Attack
To date, Socket has discovered 162 malicious artifacts within 108 distinct packages, and the numbers are expected to rise. Attackers compromise maintainer accounts to alter legitimate repositories, pushing infected packages to unsuspecting developers.
These cybercriminals use Git history rewriting to disguise the age of malicious changes, further complicating detection efforts. The altered repositories include obfuscated JavaScript loaders that connect to blockchain and public RPC infrastructure, facilitating encrypted payload retrieval.
Response and Recommendations
One notable incident involved the compromise of the Xpos587 GitHub account, where repositories were tampered with on June 23. The campaign has since extended to Packagist, compromising packages under the sevenspan namespace during a cleanup operation.
Socket advises any teams that installed affected packages or extensions to consider their environments compromised. It’s crucial to conduct remediation from a clean machine, as PolinRider targets developer setups and may risk exposing sensitive credentials.
Security professionals emphasize the need for ongoing vigilance as these attacks highlight the vulnerabilities in software supply chains, particularly in open source environments.
