PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems
Blog post from Socket
The Socket Threat Research Team has uncovered a significant supply chain attack, known as the PolinRider campaign, linked to North Korean threat actors targeting multiple open-source ecosystems such as npm, Packagist, Go modules, and Chrome extensions. This campaign, part of the broader North Korean Contagious Interview / Famous Chollima activity, involves compromising legitimate developer repositories to plant obfuscated JavaScript loaders, often hidden in configuration files or disguised as fake font files, which execute when triggered by developer tooling like VS Code. The malicious loaders retrieve encrypted payloads from blockchain and public infrastructure, which are then decrypted and executed, enabling various malicious activities including data theft and additional malware delivery. The campaign is characterized by sophisticated techniques such as Git history rewriting to make malicious changes appear less suspicious, thus complicating detection efforts. Despite some remediation efforts, such as removing certain payloads, the campaign remains active with new malicious packages continuing to emerge. As a response, affected organizations are advised to treat their environments as compromised, preserve forensic artifacts, rebuild from clean lockfiles, rotate exposed secrets, and thoroughly audit developer workstations and repositories for indicators of compromise.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| Serverless | 9 | 59 | 20 | 17 | -94% |
| Secrets Management | 4 | 181 | 40 | 32 | -93% |
| Kubernetes | 2 | 222 | 25 | 18 | -90% |
Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.