News

North Korean Hackers Publish 108 Malicious Packages in Ongoing Campaign

North Korean hackers linked to the Contagious Interview campaign have published 108 malicious packages and extensions across npm, Packagist, Go, and Chrome.

A sophisticated North Korean hacking campaign, known as PolinRider, continues to target developers and cryptocurrency professionals. The hackers have published 108 malicious packages and extensions, compromising public GitHub repositories and developer tools.

North Korean Hackers Publish 108 Malicious Packages in Ongoing Campaign

North Korean threat actors tied to the Contagious Interview campaign have been actively publishing 108 unique malicious packages and web browser extensions across multiple platforms, including npm, Packagist, Go, and Google Chrome. This ongoing activity, dubbed PolinRider, is part of a broader effort to compromise developer environments and cryptocurrency sectors.

According to Socket security researcher Karlo Zanki, the campaign remains active, with new malicious packages likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected versions. The 162 malicious release artifacts identified so far include 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension.

Contagious Interview Campaign Overview

The Contagious Interview campaign, active since at least 2023, targets software developers and cryptocurrency professionals through deceptive job recruitment tactics. Hackers pose as recruiters or collaborators on platforms like LinkedIn, GitHub, and freelance websites, using fake front companies and AI-generated employee profiles to build trust and deliver malware.

In March 2026, the OpenSourceMalware team first flagged PolinRider, noting that threat actors implanted obfuscated JavaScript payloads in hundreds of public GitHub repositories to distribute a new variant of BeaverTail, a JavaScript malware linked to Contagious Interview. As of April 11, 2026, the campaign has compromised 1,951 public GitHub repositories belonging to 1,047 unique owners.

Attack Methodology

The attackers are not using stolen GitHub credentials but instead compromise victims through malicious VS Code extensions or npm packages. They are believed to take over maintainer accounts through expired domain takeovers or other account recovery methods.

Once executed, the malware searches for specific files (e.g., postcss.config.mjs, tailwind.config.js, eslint.config.mjs) and appends malicious JavaScript code to them. It also uses Windows batch scripts to modify the last commit while making it appear as though the changes were made by the original author. Similar tools are suspected to be used for rewriting Git history on Linux and macOS.

The payload functions as a JavaScript malware loader that connects to blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain services, to fetch an encrypted second-stage payload. This payload unpacks to DEV#POPPER RAT and OmniStealer, as detailed by eSentire in March 2026.

Mitigation and Recommendations

Users who have installed compromised packages are advised to treat their environments as compromised, rotate exposed secrets from a clean machine, remove affected versions, and rebuild from a known good lockfile. Additionally, developers should audit their workstations and repositories for hidden execution paths or suspicious commits that modify configuration files like .vscode/tasks.json, config.js, and vite.config.js.

The discovery of this campaign underscores the growing threat of supply chain attacks targeting developers and the need for heightened vigilance in securing development environments.