PolinRider Rides Again: North Korean Attack Expands Across GitHub
Contents
PolinRider is a DPRK supply-chain campaign that hides obfuscated JavaScript in developers' config files, fake font files, malicious npm packages, and weaponized take-home coding tests — and in five weeks it's gone from 675 to nearly 2,000 victim repositories
6mile
April 12, 2026
20 min read
north-korea
polinrider
dprk
github
PolinRider Rides Again
Five weeks after the OSM team first published on PolinRider — a DPRK supply-chain campaign that injects obfuscated JavaScript into legitimate developers' config files — we've updated our research data about this persistent threat, and the reality is things have gotten worse.
Three things to know:
The campaign has nearly tripled. We can now confirm 1,951 unique compromised repositories belonging to 1,047 unique owners, up from the 675 / 352 we published on March 8. And there is strong reason to believe this is still a significant undercount.
PolinRider and TasksJacker have effectively merged. The same threat actor is now using .vscode/tasks.json curl-pipe-to-shell payloads, fake font files (.woff2 containing …
6mile
April 12, 2026
20 min read
north-korea
polinrider
dprk
github
PolinRider Rides Again
Five weeks after the OSM team first published on PolinRider — a DPRK supply-chain campaign that injects obfuscated JavaScript into legitimate developers' config files — we've updated our research data about this persistent threat, and the reality is things have gotten worse.
Three things to know:
The campaign has nearly tripled. We can now confirm 1,951 unique compromised repositories belonging to 1,047 unique owners, up from the 675 / 352 we published on March 8. And there is strong reason to believe this is still a significant undercount.
PolinRider and TasksJacker have effectively merged. The same threat actor is now using .vscode/tasks.json curl-pipe-to-shell payloads, fake font files (.woff2 containing …