PolinRider Jumps the Fence

2026-07-08 Open Source Malware

https://opensourcemalware.com/blog/polinrider-jumps-the-fence

Thumbnail for PolinRider Jumps the Fence

PolinRider, a DPRK-linked Lazarus Group / Contagious Interview supply-chain campaign, expanded from compromised GitHub repositories into Go modules and Packagist packages because those ecosystems publish directly from git repositories and tags. OpenSourceMalware and Socket observed almost 200 malicious release artifacts tied to 111 packages and extensions, including more than 80 Go modules and 10 Packagist packages, while NPM and PyPI were less affected because they require separate artifact-publishing credentials. The campaign uses obfuscated JavaScript in config files, VS Code `tasks.json` folder-open triggers, fake `.woff2` JavaScript loaders, malicious npm dependencies, blockchain dead-drops, and the BeaverTail / InvisibleFerret / OtterCookie / OmniStealer toolchain for credential, browser-data, and wallet theft. The report warns maintainers that, for repo-sourced ecosystems, GitHub account security is effectively registry security.

Indicators of Compromise

Type Value First Seen Last Seen
WALLET 0x3f0e5781d0855fb460661ac632573… 2026-03-06 2026-07-08
WALLET 0xbe037400670fbf1c32364f7629759… 2026-03-06 2026-07-08
WALLET TXfxHUet9pJVU1BgVkBAbrES4YUc1nG… 2026-03-06 2026-07-08
WALLET TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7… 2026-03-06 2026-07-08

Related Actors

Related Reports

« Back