The PolinRider campaign represents one of the most aggressive and technically sophisticated open-source supply chain attacks ever attributed to North Korea. First flagged by OpenSourceMalware in March 2026, it has rapidly expanded across multiple package ecosystems and developer toolchains, compromising nearly 2,000 GitHub repositories and leveraging blockchain technology for command-and-control (C2) resilience .
PolinRider is attributed to the Democratic People's Republic of Korea (DPRK) and aligned with the Lazarus Group. It operates as a sub-campaign within the broader Contagious Interview cluster (also tracked as Famous Chollima) . The campaign has operationally merged with the related TasksJacker campaign, which focuses on abusing VS Code task automation
.
The scale of PolinRider is vast and growing rapidly:
The campaign has spread far beyond npm, its initial vector:
dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, and debug-glit The campaign also compromised the widely used Axios npm library (versions 1.14.1 and 0.30.0) in April 2026 via a malicious dependency named plain-crypto-js, affecting roughly 100 million weekly downloads .
The PolinRider infection chain is a carefully orchestrated, four-stage process designed to maximize stealth and minimize the need for victim interaction.
Attackers append heavily obfuscated JavaScript to the end of legitimate developer configuration files such as postcss.config.mjs, tailwind.config.js, eslint.config.mjs, and next.config.mjs . The malicious lines are padded with excess whitespace, pushing the code beyond the default IDE viewing width and making it invisible during casual code review
.
PolinRider employs three primary concealment techniques:
.woff2 font files: The obfuscated JavaScript is disguised as a web font file, a binary format most developers never inspect Malicious .vscode/tasks.json files are injected into repositories. When a developer clones a compromised repo and opens it in VS Code, the task executes automatically with no further user interaction. This bypasses the social engineering step used in earlier Contagious Interview campaigns entirely .
The deobfuscated JavaScript loader retrieves its next-stage payload by reading encrypted data embedded in cryptocurrency blockchain transactions. The campaign uses TRON, Aptos, and BSC (BNB Smart Chain) blockchain networks as dead-drop C2 channels . This "etherhiding" technique makes takedown extremely difficult since the C2 data exists immutably on public blockchains.
PolinRider delivers a suite of malicious payloads, each with specific capabilities:
The primary malware family delivered is a new variant of BeaverTail, a known JavaScript-based malware associated with DPRK operations. It acts as a first-stage dropper and credential harvester .
The infection chain delivers a JavaScript-based RAT tracked as DEV#POPPER.js. It provides full remote code execution (RCE), persistent access, and the ability to execute arbitrary commands on the compromised developer workstation. eSentire's Threat Response Unit (TRU) detected it in the wild targeting the Energy, Utilities, and Waste sector in February 2026 .
Deployed alongside DEV#POPPER, OmniStealer aggressively targets cryptocurrency wallet credentials, private keys, browser-stored credentials, session tokens, API keys, and CI/CD secrets .
PolinRider is a direct operational evolution of the Contagious Interview campaign. While Contagious Interview historically relied on fake job interview lures and social engineering to trick developers into installing trojanized projects, PolinRider represents a shift toward fully automated, social-engineering-free supply chain compromise .
Key differences and overlaps include:
Based on guidance from OpenSourceMalware, Socket Security, Sonatype, and other researchers, organizations should take the following steps:
package.json, go.mod, and lockfiles postcss.config.mjs, tailwind.config.js, eslint.config.mjs, next.config.mjs and similar files for appended obfuscated JavaScript .vscode/ directories for unexpected tasks.json with auto-run configurations .woff2 and other binary asset files for embedded JavaScript npm auditsocket.dev scanning) before installation Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
PolinRider is a North Korean (Lazarus/Contagious Interview cluster) supply chain campaign that, as of late April 2026, had compromised 1,951 GitHub repositories belonging to 1,047 unique owners — roughly tripling in f...
PolinRider is a North Korean (Lazarus/Contagious Interview cluster) supply chain campaign that, as of late April 2026, had compromised 1,951 GitHub repositories belonging to 1,047 unique owners — roughly tripling in f... More than 1,700 malicious npm packages have been published as part of the broader Contagious Interview operation, with the campaign spreading to PyPI, Go, Packagist (PHP), and crates.io (Rust), and even compromising t...
The campaign delivers BeaverTail (a JavaScript dropper/stealer), DEV POPPER.js (a remote access trojan), and OmniStealer (an information stealer targeting crypto wallets and credentials) and represents a dangerous evo...
.vscode/tasks.json files and injected CI pipelines