North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique malicious packages and web browser extensions across multiple package ecosystems and the Chrome Web Store. The operation, now tracked as PolinRider, spans npm, Packagist, Go modules, and Google Chrome extensions — and researchers confirm the campaign is still active with new malicious artifacts continuing to appear.
PolinRider: Scope and Targets
According to analysis reported by The Hacker News, PolinRider represents one of the most extensive multi-ecosystem supply chain campaigns attributed to North Korean operators in recent history. The 108 artifacts documented so far are spread across:
| Ecosystem | Purpose |
|---|---|
| npm | JavaScript/Node.js packages targeting developers |
| Packagist | PHP packages for web application developers |
| Go modules | Go ecosystem packages targeting backend developers |
| Chrome extensions | Browser-based credential theft and surveillance |
The breadth suggests a deliberate strategy to maximize reach across different developer communities rather than focusing on a single high-value target ecosystem.
Connection to Contagious Interview
Contagious Interview is a long-running North Korean threat cluster known for targeting software developers through fake job interview processes. The typical modus operandi involves:
- Contacting developers via LinkedIn, GitHub, or freelance platforms with fake job opportunities
- Asking candidates to complete a "technical assessment" — often downloading and running a malicious repository
- Using the assessment process to deploy malware on the candidate's development machine
PolinRider extends this approach by poisoning the package ecosystems developers depend on. Rather than requiring a targeted lure, malicious packages can be discovered organically when developers search for legitimate functionality — a passive but scalable infection vector.
How the Malicious Packages Work
While specific technical indicators vary by package, the general pattern observed in Contagious Interview supply chain attacks involves:
- Typosquatting or dependency confusion — Package names closely resemble popular legitimate packages or target internal package names
- Legitimate functionality with hidden payloads — Packages often include real utility functions to avoid suspicion during code review
- Post-install scripts — Malicious code executes during the
npm installor equivalent installation step, before the developer has reviewed any source - Staged payloads — Initial infection downloads additional malware from command-and-control infrastructure, keeping the package itself smaller and less suspicious
For Chrome extensions, the attack surface shifts to browser sessions — targeting saved credentials, session cookies, and cryptocurrency wallets accessible from the browser.
Why This Campaign Is Significant
Scale: 108 artifacts across four ecosystems is notable. Most supply chain campaigns are caught after a handful of malicious packages are published. The volume here suggests either that detection is lagging or that the actors are publishing at a rate that outpaces removal.
Persistence: The campaign remains active. Unlike point-in-time incidents, PolinRider requires ongoing monitoring of all four targeted ecosystems.
North Korean objectives: Contagious Interview activity is believed to serve multiple North Korean state objectives simultaneously — cryptocurrency theft to fund the regime, intellectual property theft targeting technology companies, and potentially intelligence gathering on developers with access to sensitive systems.
Cross-ecosystem coverage: Most supply chain security tooling and monitoring is ecosystem-specific. An operation spanning npm, Packagist, Go, and Chrome simultaneously can exploit gaps between siloed security programs.
Protective Measures for Developers and Organizations
- Audit dependencies — Run dependency audits (
npm audit, Dependabot, Snyk, or equivalent) regularly and review recent additions carefully. - Verify package provenance — Check download counts, publish dates, maintainer reputation, and repository links before installing unfamiliar packages.
- Lock file discipline — Commit lock files (
package-lock.json,go.sum,composer.lock) and review lock file diffs in pull requests to catch unexpected dependency changes. - Chrome extension management — Enforce a managed extension allowlist via enterprise browser policy. Disable the ability for users to install arbitrary extensions.
- Sandboxed development environments — Run package installations in isolated environments (containers, VMs) to limit the blast radius of post-install script execution.
- Threat intelligence monitoring — Subscribe to feeds from npm Security, PyPI, and security researchers who track these campaigns. The Hacker News, BleepingComputer, and Phylum publish regular supply chain threat reports.