North Korean Hackers Publish 108 Malicious Packages in Ongoing Campaign
North Korean threat actors tied to the Contagious Interview campaign have been actively publishing 108 unique malicious packages and web browser extensions across multiple platforms, including npm, Packagist, Go, and Google Chrome. This ongoing activity, dubbed PolinRider, is part of a broader effort to compromise developer environments and cryptocurrency sectors.
According to Socket security researcher Karlo Zanki, the campaign remains active, with new malicious packages likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected versions. The 162 malicious release artifacts identified so far include 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension.
Contagious Interview Campaign Overview
The Contagious Interview campaign, active since at least 2023, targets software developers and cryptocurrency professionals through deceptive job recruitment tactics. Hackers pose as recruiters or collaborators on platforms like LinkedIn, GitHub, and freelance websites, using fake front companies and AI-generated employee profiles to build trust and deliver malware.
In March 2026, the OpenSourceMalware team first flagged PolinRider, noting that threat actors implanted obfuscated JavaScript payloads in hundreds of public GitHub repositories to distribute a new variant of BeaverTail, a JavaScript malware linked to Contagious Interview. As of April 11, 2026, the campaign has compromised 1,951 public GitHub repositories belonging to 1,047 unique owners.
Attack Methodology
The attackers are not using stolen GitHub credentials but instead compromise victims through malicious VS Code extensions or npm packages. They are believed to take over maintainer accounts through expired domain takeovers or other account recovery methods.
Once executed, the malware searches for specific files (e.g., postcss.config.mjs, tailwind.config.js, eslint.config.mjs) and appends malicious JavaScript code to them. It also uses Windows batch scripts to modify the last commit while making it appear as though the changes were made by the original author. Similar tools are suspected to be used for rewriting Git history on Linux and macOS.
The payload functions as a JavaScript malware loader that connects to blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain services, to fetch an encrypted second-stage payload. This payload unpacks to DEV#POPPER RAT and OmniStealer, as detailed by eSentire in March 2026.
Mitigation and Recommendations
Users who have installed compromised packages are advised to treat their environments as compromised, rotate exposed secrets from a clean machine, remove affected versions, and rebuild from a known good lockfile. Additionally, developers should audit their workstations and repositories for hidden execution paths or suspicious commits that modify configuration files like .vscode/tasks.json, config.js, and vite.config.js.
The discovery of this campaign underscores the growing threat of supply chain attacks targeting developers and the need for heightened vigilance in securing development environments.