The PolinRider Campaign Emerges
North Korean threat actors associated with the Contagious Interview campaign have released 108 unique malicious packages and browser extensions across multiple registries. Security researchers at Socket identified the activity, named PolinRider, targeting npm, Packagist, Go, and Google Chrome ecosystems. Since at least 2023, Contagious Interview has used fake job recruitment tactics to trick software developers and cryptocurrency workers into executing malicious code.
The 162 malicious release artifacts include 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension. Attackers compromise maintainer accounts through expired domain takeovers or account recovery exploits, then modify legitimate repositories to distribute infected package versions.
Infection Chain and Execution Methods
Victims are compromised through malicious VS Code extensions or npm packages rather than stolen GitHub credentials. The malware uses VS Code task files with the runOn folderOpen option to execute arbitrary code when developers open affected folders as workspaces. Once triggered, the payload targets specific configuration files like postcss.config.mjs and tailwind.config.js, appending malicious JavaScript code to them.
The attackers rewrite Git history using force pushes and backdated commits to make malicious changes appear older and less suspicious. The malware reaches out to blockchain infrastructure services on TRON, Aptos, and BNB Smart Chain to fetch encrypted second stage payloads that unpack to DEV POPPER RAT and OmniStealer.
Scope and Mitigation Advice
As of April 2026, PolinRider has compromised 1,951 public GitHub repositories belonging to 1,047 unique owners. The campaign has merged with another cluster called TaskJacker that drops malicious VS Code task files into existing repositories. Researchers note that the campaign remains active and new malicious packages will likely continue appearing.
Users who installed these packages should treat their environment as compromised, rotate exposed secrets from a clean machine, remove affected versions, and rebuild from a known good lockfile. Security teams should audit developer workstations and repositories for hidden execution paths or suspicious commits modifying vs code task configuration and configuration files like config.js and vite.config.js.
Source: The Hacker News

