PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems

2026-07-01 Socket

https://socket.dev/blog/polinrider-north-korea-linked-supply-chain-campaign-expands

Thumbnail for PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems

Socket reports that PolinRider, a supply-chain campaign linked to North Korean threat actors in the Contagious Interview / Famous Chollima cluster, has expanded beyond npm into Packagist, Go modules, and a Chrome extension. The research identifies 162 malicious release artifacts across 108 packages and extensions, including 80 Go modules and 10 Packagist packages, with compromised maintainer accounts and rewritten Git history used to hide malicious changes. The loaders are concealed in configuration files or fake .woff2 font files, execute through developer tooling such as VS Code tasks, and retrieve encrypted second-stage payloads via public blockchain/RPC infrastructure before delivering DEV#POPPER, OmniStealer, or other malware. Socket advises teams that installed affected versions to treat developer environments as compromised, preserve evidence, rebuild from known-good lockfiles, rotate exposed secrets from a clean machine, and audit repository and registry activity.

Related Actors

Related Reports

« Back