PolinRider: DPRK Threat Actor Implants Malware in Hundreds of GitHub Repos
Contents
PolinRider: DPRK Threat Actor Implants Malware in Hundreds of GitHub Repos
A North Korean threat actor is implanting malware in hundreds of GitHub users and organizations repositories. This malware is the latest DPRK Beavertail variant that steals crednetials, crypto and installs a RAT.
6mile
March 8, 2026
20 min read
polinrider
github
lazarus
dprk
supply-chain
infostealer
contagious-interview
shai-hulud
PolinRider Threat Campaign
Date: 2026-03-07
Severity: CRITICAL — active supply chain infection across hundreds public repositories
The OpenSourceMalware team has uncovered a massive threat campaign that is implanting malware in GitHub users and organizations repositories. The threat actor, PolinRider, has implanted a malicious obfuscated JavaScript payloads in hundreds public GitHub repositories belonging to hundreds unique owners. Use the #polinrider to see all threat reports related to this campaign, and jump to the end of this blog for the list of compromised repositories, including ones we recommend prioritising for immediation action. Keep in mind that the tag is the best way to get current data.
The JavaScript payload is appended …
A North Korean threat actor is implanting malware in hundreds of GitHub users and organizations repositories. This malware is the latest DPRK Beavertail variant that steals crednetials, crypto and installs a RAT.
6mile
March 8, 2026
20 min read
polinrider
github
lazarus
dprk
supply-chain
infostealer
contagious-interview
shai-hulud
PolinRider Threat Campaign
Date: 2026-03-07
Severity: CRITICAL — active supply chain infection across hundreds public repositories
The OpenSourceMalware team has uncovered a massive threat campaign that is implanting malware in GitHub users and organizations repositories. The threat actor, PolinRider, has implanted a malicious obfuscated JavaScript payloads in hundreds public GitHub repositories belonging to hundreds unique owners. Use the #polinrider to see all threat reports related to this campaign, and jump to the end of this blog for the list of compromised repositories, including ones we recommend prioritising for immediation action. Keep in mind that the tag is the best way to get current data.
The JavaScript payload is appended …