More Than 100 Open Source Packages Weaponized in Ongoing Campaign
Since December 2025, a threat group linked to North Korea has been systematically compromising open source repositories and package registries. Security firm Socket calls the operation PolinRider, and it’s already hit more than 100 legitimate packages across NPM, Packagist, Go modules, and Chrome extensions.
The attackers aren’t just sneaking in a single malicious library. They’re deploying a two-stage infection: a JavaScript loader that pulls down the DEV#POPPER remote access trojan (RAT) and a separate information stealer called OmniStealer. The goal is to grab credentials, source code, and CI/CD secrets from developer machines.
Socket has identified 162 malicious release artifacts across 108 unique packages so far. And they expect more to surface.
How PolinRider Works: Compromised Accounts and Rewritten Git History
The attack chain starts with the threat actor taking over legitimate maintainer accounts on GitHub. Once inside, they tamper with repositories and push infected package versions. To cover their tracks, they rewrite Git history — making the malicious changes look like they were made months earlier.
The compromised repos contain obfuscated JavaScript loaders. Those loaders connect to blockchain and public RPC infrastructure to fetch encrypted payloads. It’s a clever way to host command-and-control data on decentralized networks, making takedowns harder.
One example Socket flagged: a GitHub account called Xpos587, which maintains several repositories. All of them were modified on June 23 within a short window. That pattern — a burst of changes to unrelated repos — is a red flag.
Packagist Compromise: Malware Hidden in Configuration Files
The campaign recently expanded to Packagist, the main package repository for PHP. Multiple packages under the sevenspan namespace were compromised. The attackers stashed the malicious loaders inside configuration files — the kind of files most developers wouldn’t think to inspect closely.
Socket notes that even a cleanup operation missed some of these hidden loaders. That means teams that installed any affected package version should treat the entire development environment as potentially compromised.
Why Developer Machines Are Prime Targets
Developers’ workstations often hold a treasure trove of credentials: package registry tokens, cloud API keys, source code repositories, and CI/CD pipeline secrets. A single compromised machine can give attackers access to an entire organization’s software supply chain.
“Because PolinRider targets developer environments and may expose package registry, source code, cloud, and CI/CD credentials, remediation should be performed from a clean machine, not from the potentially infected host,” Socket warns.
Part of a Broader North Korean Hacking Ecosystem
PolinRider isn’t an isolated incident. Socket connects it to a larger operation called Contagious Interview, which overlaps with several known North Korean campaigns: DeceptiveDevelopment, Operation Dream Job, and ClickFake Interview.
These campaigns share a common playbook. Attackers pose as recruiters, contact developers on LinkedIn or other platforms, and lure them into installing malicious packages or running fake coding tests. The goal is always the same — get a foothold in the developer’s machine and pivot into the corporate network.
Earlier this year, North Korean hackers were blamed for the Mastra NPM supply chain attack and for targeting high-profile Node.js maintainers. They’ve also been spotted using AppleScript and ClickFix tricks in fresh macOS attacks.
What Developers Should Do Right Now
If your team uses open source packages from NPM, Packagist, or Go modules, here’s what Socket recommends:
- Audit your dependencies against the list of known compromised packages (Socket maintains an updated inventory).
- Check your GitHub repositories for unusual activity — especially sudden bursts of changes to multiple repos from the same account.
- Review Git history for rewritten commits. If a commit timestamp looks suspiciously old but the content seems recent, investigate.
- Rotate all credentials stored on any machine that might have installed an affected package. Do this from a clean, isolated system.
- Enable two-factor authentication on all package registry and GitHub accounts. Use hardware security keys where possible.
The PolinRider campaign is a stark reminder that open source isn’t just about convenience. It’s an attack surface. And North Korean hackers are exploiting it with increasing sophistication.