North Korean hackers have been quietly compromising open source software since December 2025 in a campaign called PolinRider. Linked to the broader Contagious Interview operation, the attackers hijack legitimate GitHub maintainer accounts, inject obfuscated JavaScript loaders into real repositories, and use Git history rewriting to make the changes look old. The malware drops two payloads: the DEV#POPPER RAT and OmniStealer. So far, 162 malicious artifacts across 108 packages have been found on NPM, Packagist, Go modules, and Chrome extensions. Any developer who installed an affected package should assume their environment is compromised and remediate from a clean machine.
Source: SecurityWeek