Close Menu
    What's Hot

    Iran Live Updates: Huge Crowds Mass in Tehran for Ayatollah’s State Funeral

    Where NASA Posts Its Best Space Photos, and How to Find Them

    Opinion | The Purgatory Job Market of 2026

    Facebook X (Twitter) Instagram
    Trending
    • Iran Live Updates: Huge Crowds Mass in Tehran for Ayatollah’s State Funeral
    • Where NASA Posts Its Best Space Photos, and How to Find Them
    • Opinion | The Purgatory Job Market of 2026
    • Celebrate America’s 250th by committing to financial freedom
    • Opinion | The Lake House That Taught Me How to Dad
    • Representative Joyce Beatty Still Celebrating Victory in Kennedy Center Legal Battle
    • A Big Week in the West, Canada vs. Morocco, Trade and a Canada-U.S. Quiz
    • Iran Projects Unity to the World While Pursuing a Crackdown at Home
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

    adminBy adminJuly 4, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
    Share
    Facebook Twitter LinkedIn Pinterest Email

    North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

    The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider.

    “The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access,” Socket security researcher Karlo Zanki said in an analysis published this week.

    The 162 malicious release artifacts span multiple release versions corresponding to 108 unique packages and extensions, including 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension.

    Contagious Interview is the moniker assigned to a North Korea-aligned campaign that weaponizes job recruitment to target software developers and individuals working in the cryptocurrency sectors, using persuasive job interviews and assessments to trick them into executing malicious code.

    Cybersecurity

    The activity is known to be active since at least 2023. Attackers masquerade as recruiters or collaborators on platforms like LinkedIn, GitHub, or freelance websites, often setting up elaborate front companies and AI-generated employee profiles to build trust and ultimately deliver malware.

    PolinRider was first flagged by the OpenSourceMalware team in March 2026, describing it as involving the threat actors implanting malicious obfuscated JavaScript payloads in hundreds of public GitHub repositories belonging to several unique owners to deliver a new variant of BeaverTail, a known JavaScript malware associated with Contagious Interview.

    As of April 11, 2026, the activity has compromised 1,951 public GitHub repositories associated with 1,047 unique owners, while also merging with another cluster called TaskJacker that drops malicious VS Code task files into GitHub users’ existing repositories. The VS Code tasks include the “runOn: ‘folderOpen'” option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor. 

    “The threat actor is not using stolen GitHub credentials,” OpenSourceMalware said. “Instead, the victims have been compromised via a malicious VS Code extension or npm package.” It’s believed that the attackers are taking over maintainer accounts, likely through expired domain takeover or another account recovery path, to pull off the scheme.

    Once executed, the malware searches the infected computer for certain files like “postcss.config.mjs,” “tailwind.config.js,” “eslint.config.mjs,” next.config.mjs,” babel.config.js,” and “app.js,” and, if found, appends malicious JavaScript code to them.

    It also makes use of a Windows batch script to stealthily modify the last commit, while making it appear as if they were made by the original author. It’s suspected that similar tools are being utilized to rewrite Git history for other operating systems like Linux and macOS.

    “The core tradecraft remains consistent across the campaign: threat actors plant obfuscated JavaScript loaders in legitimate repositories, conceal the code through whitespace padding or fake .woff2 font files, and trigger execution through developer tooling such as VS Code task files,” Socket said.

    Cybersecurity

    In the latest wave, the payload functions as a JavaScript malware loader that reaches out to blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain services, to fetch an encrypted second-stage payload that unpacks to DEV#POPPER RAT and OmniStealer. This attack chain was detailed by eSentire in March 2026.

    “The threat actors use Git history rewriting, including force pushes and anti-dated commits to make malicious changes appear older and less suspicious,” Zanki said. “This makes the GitHub landing page and visible commit history unreliable indicators of compromise; defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files.”

    The development comes as JFrog uncovered a cluster of npm packages linked to Contagious Interview, some of which masqueraded as Rollup polyfill tools to enable remote access and data theft. Earlier this week, another set of npm packages and Go packages was identified as incorporating VS Code auto-run tasks to run JavaScript payloads disguised as fake font files, indicating tactical overlaps between Fake Font, TaskJacker, and PolinRider.

    Users who have installed these packages should treat the environment as compromised, rotate exposed secrets from a clean machine, remove affected versions and rebuild from a known good lockfile, and audit developer workstations and repositories for hidden execution paths or suspicious commits that have modified “.vscode/tasks.json,” “config.js,” “vite.config.js,” and “eslint.config.js” files.

    campaign extensions hackers Korean malicious North Packages PolinRider publish
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleOpinion | Founding Father vs. Foundering Toddler
    Next Article British GP Sprint: Kimi Antonelli beats Lewis Hamilton to victory at Silverstone to extend world championship lead | F1 News
    admin
    • Website

    Related Posts

    The populist trick that turned a soccer shirt into a campaign uniform

    July 4, 2026

    New “Bad Epoll” Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

    July 3, 2026

    Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Iran Live Updates: Huge Crowds Mass in Tehran for Ayatollah’s State Funeral

    Where NASA Posts Its Best Space Photos, and How to Find Them

    Opinion | The Purgatory Job Market of 2026

    Celebrate America’s 250th by committing to financial freedom

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by