Researchers reported a broad software supply chain campaign targeting developers and cryptocurrency users through hijacked packages, browser extensions, and compromised maintainer accounts across ecosystems including npm, Go, Chrome, and Packagist. Socket linked the activity to North Korean actors associated with the Contagious Interview operation and identified 108 malicious packages and extensions spanning 162 release artifacts, while JFrog separately analyzed hijacked npm packages html-to-gutenberg 4.2.11 and fetch-page-assets 1.2.9 that were uploaded with malicious code. The activity appears to rely on account hijacking rather than compromise of GitHub itself, and some attacker infrastructure reportedly remains active even after certain packages were removed.
The malware chain used unusual delivery and evasion techniques aimed at developer workstations, including a VS Code folder-open task instead of standard npm lifecycle scripts, JavaScript hidden in a fake font file, and encrypted payload retrieval from blockchain transaction data on TRON, Aptos, and BNB Smart Chain. Researchers said the campaign deployed components including BeaverTail, DEV#POPPER RAT, OmniStealer, a socket.io backdoor, and a Python infostealer to steal browser credentials, password-manager contents, cryptocurrency wallet data, developer secrets, and operating system credential-store material across Windows, macOS, and Linux. Security firms warned that affected developer systems and credentials should be treated as fully compromised.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
An OpenSource Malware report said PolinRider had reached nearly 200 malicious release artifacts tied to 111 packages and extensions across Go, Packagist, npm, and PyPI, with more than 80 Go modules and 10 Packagist packages observed. The analysis also described how the campaign used force-pushed anti-dated commits and Git history rewriting to hide tampering, while abusing repo-sourced ecosystems where a GitHub account takeover can directly compromise published artifacts.
Socket researchers identified a large-scale campaign dubbed PolinRider involving 108 malicious packages and extensions that produced 162 release artifacts across ecosystems including npm, Go, Chrome, and Packagist. They linked the activity to hijacked developer accounts on platforms such as GitHub, Visual Studio Code, and npm, and associated it with North Korean actors tied to the Contagious Interview campaign.
JFrog Security Research reported that the same payload pattern seen in the hijacked npm packages was also present in additional malicious Go packages, indicating the activity extended beyond npm. The report also noted that some malicious packages remained live and attacker infrastructure was still active, even though the npm versions had been removed.
A technical analysis described two malicious npm packages, tailwind-color-shades 1.0.2 and safe-validate 1.0.4, tied to the PolinRider campaign and published by deepthought26. The report detailed an import-triggered loader that retrieved XOR-encrypted payload stages from blockchain transaction data and published IOCs, blockchain pointers, XOR keys, and hunting guidance.
The npm packages html-to-gutenberg version 4.2.11 and fetch-page-assets version 1.2.9 were uploaded as hijacked releases carrying a multi-stage malware chain that abused a VS Code folder-open task and blockchain-hosted payload retrieval.
Socket said the North Korean-linked PolinRider supply-chain campaign has been active since December 2025, targeting open source developers by compromising legitimate repositories and packages to distribute malware. The activity used injected JavaScript loaders to deliver the DEV#POPPER remote access trojan and OmniStealer.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
bsky.app
Open sourceopensourcemalware.com
Open sourcescworld.com
Open sourcesecurityweek.com
Open sourcecysecurity.news
Open sourceresearch.jfrog.com
Open sourcemeltedinhex.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.