TasksJacker: Latest DPRK Attack Skips the Fake Interview and Goes Straight to Compromising GitHub Users
Contents
TasksJacker: Latest DPRK Attack Skips the Fake Interview and Goes Straight to Compromising GitHub Users
A technical deep-dive into the next generation of DPRK attacks that borrows from Shai-hulud and Contagious Interview to compromise dozens of GitHub users
6mile
March 31, 2026
20 min read
tasksjacker
polinrider
glassworm
github
lazarus
dprk
supply-chain
infostealer
contagious-interview
shai-hulud
TasksJacker Campaign
OpenSourceMalware has identified a new DPRK attack we have dubbed "TasksJacker" that is dropping malicious VS Code tasks files into unsuspecting GitHub users existing repositories. This is a parallel attack to the PolinRider upstream injection campaign that OpenSourceMalware identified in early March — a campaign that evolved directly from the credential theft documented here into fork-and-PR attacks targeting projects with over 1 million combined GitHub stars. TasksJacker also shares its force-push git history rewriting technique with the GlassWorm ForceMemo campaign, a separate threat actor that compromised hundreds of GitHub repositories and hijacked popular React Native npm packages with 130K+ monthly downloads using the same TTP.
Executive Summary
As of March 30, …
A technical deep-dive into the next generation of DPRK attacks that borrows from Shai-hulud and Contagious Interview to compromise dozens of GitHub users
6mile
March 31, 2026
20 min read
tasksjacker
polinrider
glassworm
github
lazarus
dprk
supply-chain
infostealer
contagious-interview
shai-hulud
TasksJacker Campaign
OpenSourceMalware has identified a new DPRK attack we have dubbed "TasksJacker" that is dropping malicious VS Code tasks files into unsuspecting GitHub users existing repositories. This is a parallel attack to the PolinRider upstream injection campaign that OpenSourceMalware identified in early March — a campaign that evolved directly from the credential theft documented here into fork-and-PR attacks targeting projects with over 1 million combined GitHub stars. TasksJacker also shares its force-push git history rewriting technique with the GlassWorm ForceMemo campaign, a separate threat actor that compromised hundreds of GitHub repositories and hijacked popular React Native npm packages with 130K+ monthly downloads using the same TTP.
Executive Summary
As of March 30, …