North Korean Hackers Poison Open Source Packages in Ongoing Supply Chain Attack
North Korean hackers target open source software in PolinRider, using GitHub to spread malware. Developers, check for potential breaches!
By
Content Team
ON THIS PAGE
Want more insights like this?
Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.
By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.
North Korean hackers have been quietly compromising open source software since December 2025 in a campaign called PolinRider. Linked to the broader Contagious Interview operation, the attackers hijack legitimate GitHub maintainer accounts, inject obfuscated JavaScript loaders into real repositories, and use Git history rewriting to make the changes look old. The malware drops two payloads: the DEV#POPPER RAT and OmniStealer. So far, 162 malicious artifacts across 108 packages have been found on NPM, Packagist, Go modules, and Chrome extensions. Any developer who installed an affected package should assume their environment is compromised and remediate from a clean machine.
Source: SecurityWeek
Have questions about protecting your software?
Our escrow experts are standing by to help.
Book a free demo