The supply chain attack called PolinRider tied to North Korea is targeting open-source repos and aims to compromise maintainer accounts, modify legit repos, and publish infected package versions where they retain or obtain registry access.In a July 1 blog post, researchers at Socket said the campaign has expanded beyond npm into additional open-source ecosystems. Socket observed 162 malicious release artifacts that it identified across 108 unique packages, including compromise traces in 80 Go modules, 10 Packagist packages, and one Chrome extension.The researchers also pointed out that they linked PolinRider to the Contagious Interview campaign conducted by Famous Chollima, considered a subset of the notorious North Korean Lazarus group.Joshua Miller, director of threat intelligence at BeyondTrust, said this supply chain attack happens through the code itself. Miller said the adversaries compromise the accounts of legitimate open source maintainers, hide obfuscated code inside trusted packages, and rewrite version history so the changes look old and routine.“When a developer installs or builds the package, a concealed loader pulls its real payload from public blockchain infrastructure that’s hard to take down, then installs a remote-access trojan and an information stealer,” said Miller. “The objective is theft of developer secrets, cloud tokens. and cryptocurrency wallets.”Miller said it’s consistent and deliberate pattern: the attackers go after individual developers and the trust they place in open-source code, hide the malicious logic where reviewers rarely look, and monetizes through stolen secrets and crypto.“This is a mature, North Korea-linked operation now aimed at package registries, where one compromised maintainer reaches everyone downstream who trusts that package,” explained Miller.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




