North Korean-Linked Group Flags 108 Malicious Packages and Extensions in PolinRider Operation

Researchers say a North Korean-linked threat group tied to the long-running Contagious Interview campaign has released 108 distinct malicious packages and browser extensions across several software ec...

Researchers say a North Korean-linked threat group tied to the long-running Contagious Interview campaign has released 108 distinct malicious packages and browser extensions across several software ecosystems, including npm, Packagist, Go, and the Google Chrome Web Store. The activity, tracked as PolinRider, remains ongoing and appears likely to continue as attackers gain access to maintainer accounts and legitimate publishing channels.

According to Socket researcher Karlo Zanki, the 162 malicious release artifacts map to 108 unique packages and extensions, with the collection spanning 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension. The operation is designed to reach software developers and cryptocurrency workers by embedding malware in the tools and repositories they trust most.

How the campaign works

Contagious Interview has been active since at least 2023 and is known for posing as recruiters, partners, or potential employers on platforms such as LinkedIn, GitHub, and freelance marketplaces. The attackers typically use convincing job offers and technical assessments to persuade targets to run malicious code. In the PolinRider wave, the group has also been associated with compromised public GitHub repositories and malicious VS Code task files that can execute code when a folder is opened in an editor.

OpenSourceMalware previously reported that the attackers were not relying on stolen GitHub credentials alone. Instead, they appear to have gained access through malicious packages or extensions, and in some cases may have used account recovery paths or expired domain takeovers to publish infected releases. Once active, the malware looks for common project files such as

  • postcss.config.mjs
  • tailwind.config.js
  • eslint.config.mjs
  • next.config.mjs
  • babel.config.js
  • app.js
and then appends hidden JavaScript payloads.

Payloads and defender guidance

The latest samples act as loaders that contact blockchain-related services, including TRON, Aptos, and BNB Smart Chain, to retrieve an encrypted second stage. Prior reporting linked that chain to DEV#POPPER RAT and OmniStealer. Researchers also noted attempts to mask the activity by rewriting Git history, including force pushes and backdated commits, which can make repository timelines look benign.

Security teams are advised to review repository activity logs, package metadata, hidden execution paths, and configuration changes in files such as .vscode/tasks.json, config.js, vite.config.js, and eslint.config.js. Anyone who installed affected packages should assume compromise, rotate secrets from a clean system, remove the affected versions, and rebuild from trusted sources.