HackMyIP
← Back to News
2026-07-04 The Hacker News

North Korean Hackers Push 108 Malicious Packages in PolinRider Campaign

Supply ChainAPTMalware

North Korean threat actors tied to the Contagious Interview campaign have published 108 unique malicious packages and browser extensions across npm, Packagist, Go, and the Google Chrome Web Store in an ongoing operation dubbed PolinRider. According to Socket security researcher Karlo Zanki, the 162 malicious release artifacts include 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension, with threat actors compromising maintainer accounts to inject malware into legitimate repositories. The campaign is expected to remain active as attackers continue exploiting expired domain takeovers and registry access to distribute infected package versions—a risk developers can partially evaluate by running a WHOIS lookup on any domains linked to a project’s maintainer history.

Contagious Interview, active since at least 2023, weaponizes fake job recruitment to target software developers and cryptocurrency professionals, using LinkedIn, GitHub, and freelance platforms alongside AI-generated employee profiles and elaborate front companies. The PolinRider activity was first flagged by the OpenSourceMalware team in March 2026 and overlaps with a cluster called TaskJacker, which drops malicious VS Code task files using the "runOn: 'folderOpen'" trigger to execute arbitrary code when a workspace is opened in VS Code or Cursor. As of April 11, 2026, the operation had compromised 1,951 public GitHub repositories belonging to 1,047 unique owners, implanting obfuscated JavaScript payloads that deliver a new variant of BeaverTail, a known malware family associated with the cluster.

The attackers gain footholds not through stolen GitHub credentials but by hijacking maintainer accounts—often via expired domain takeovers or other account-recovery paths—underscoring the need for developers to audit credential exposure using an email breach checker and enforce strong, unique credentials with a password checker. Once executed, the malware scans infected machines for configuration files such as "postcss.config.mjs," "tailwind.config.js," "eslint.config.mjs," "next.config.mjs," "babel.config.js," and "app.js," then appends malicious JavaScript to them. A Windows batch script is also deployed to silently rewrite the last commit, disguising the malicious edits as legitimate changes made by the original author.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

My IP →IP Lookup →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →