North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign — [https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwdeBq
What’s new: North Korean hackers linked to the Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist, Go, and Google Chrome. This ongoing PolinRider campaign has compromised 1,951 public GitHub repositories, utilizing tactics such as account takeover and malicious VS Code extensions to deliver malware, including the DEV#POPPER RAT and OmniStealer.
Who’s affected
Developers and organizations using npm, Packagist, Go modules, and Google Chrome extensions may be at risk, particularly those who have interacted with compromised repositories or installed malicious packages.
What to do
- Review repository activity logs and package release metadata for suspicious changes.
- Rotate exposed secrets from a clean machine if malicious packages were installed.
- Remove affected versions and rebuild from a known good lockfile.
- Audit developer workstations and repositories for hidden execution paths or suspicious commits, especially in “.vscode/tasks.json,” “config.js,” “vite.config.js,” and “eslint.config.js” files.



