PolinRider Jumps the Fence
2026-07-08 • Open Source Malware •
https://opensourcemalware.com/blog/polinrider-jumps-the-fence
PolinRider, a DPRK-linked Lazarus Group / Contagious Interview supply-chain campaign, expanded from compromised GitHub repositories into Go modules and Packagist packages because those ecosystems publish directly from git repositories and tags. OpenSourceMalware and Socket observed almost 200 malicious release artifacts tied to 111 packages and extensions, including more than 80 Go modules and 10 Packagist packages, while NPM and PyPI were less affected because they require separate artifact-publishing credentials. The campaign uses obfuscated JavaScript in config files, VS Code `tasks.json` folder-open triggers, fake `.woff2` JavaScript loaders, malicious npm dependencies, blockchain dead-drops, and the BeaverTail / InvisibleFerret / OtterCookie / OmniStealer toolchain for credential, browser-data, and wallet theft. The report warns maintainers that, for repo-sourced ecosystems, GitHub account security is effectively registry security.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| WALLET | 0x3f0e5781d0855fb460661ac632573… | 2026-03-06 | 2026-07-08 |
| WALLET | 0xbe037400670fbf1c32364f7629759… | 2026-03-06 | 2026-07-08 |
| WALLET | TXfxHUet9pJVU1BgVkBAbrES4YUc1nG… | 2026-03-06 | 2026-07-08 |
| WALLET | TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7… | 2026-03-06 | 2026-07-08 |