North Korean cyber attackers associated with the Contagious Interview operation have been detected distributing 108 distinct packages and web browser extensions across platforms like npm, Packagist, Go, and Google Chrome. This activity, known as PolinRider, continues to pose a significant threat.
The Mechanics of PolinRider
According to Karlo Zanki, a security researcher from Socket, these malicious packages could persist as long as attackers can compromise maintainer accounts and modify legitimate repositories. The campaign involves 162 malicious release artifacts, including multiple versions of 108 unique packages and extensions, such as npm libraries and Go modules.
Contagious Interview, the campaign’s alias, specifically targets software developers and cryptocurrency professionals through deceitful job recruitment tactics, manipulating victims into executing harmful code. Since at least 2023, attackers have impersonated recruiters online to establish trust before delivering malware.
Technical Details and Impact
PolinRider was initially reported by the OpenSourceMalware team in March 2026. The attack involves implanting obfuscated JavaScript payloads in numerous public GitHub repositories, delivering a new variant of the BeaverTail malware. By April 11, 2026, 1,951 GitHub repositories were compromised, alongside a merge with TaskJacker, which uses malicious VS Code task files for code execution.
These attackers do not rely on stolen credentials but instead compromise users via malicious VS Code extensions or npm packages. They likely gain control of maintainer accounts through strategies like expired domain takeovers.
Defense and Future Outlook
Once activated, the malware scans for specific files, appending malicious JavaScript code while modifying commit histories to disguise origins. The payload reaches out to blockchain infrastructure to download further malware components like DEV#POPPER RAT and OmniStealer, detailed by eSentire in March 2026.
As JFrog discovered a group of npm packages connected to Contagious Interview, the threat’s complexity deepens. Users should consider their environments compromised, regenerate exposed credentials, and rebuild systems from secure sources. Regular audits of developer workstations and repositories are essential to uncover hidden threats.
Given the deceptive tactics, defenders are urged to scrutinize repository logs, package metadata, and any suspicious configuration changes. As the campaign evolves, staying informed and proactive is crucial to countering this sophisticated cyber threat.
