Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. North Korean Hackers Publish 108 Malicious Packages in PolinRider Campaign
North Korean Hackers Publish 108 Malicious Packages in PolinRider Campaign
NEWS

North Korean Hackers Publish 108 Malicious Packages in PolinRider Campaign

Threat actors linked to North Korea's Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist,...

Dylan H.

News Desk

July 4, 2026
4 min read

North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique malicious packages and web browser extensions across multiple package ecosystems and the Chrome Web Store. The operation, now tracked as PolinRider, spans npm, Packagist, Go modules, and Google Chrome extensions — and researchers confirm the campaign is still active with new malicious artifacts continuing to appear.

PolinRider: Scope and Targets

According to analysis reported by The Hacker News, PolinRider represents one of the most extensive multi-ecosystem supply chain campaigns attributed to North Korean operators in recent history. The 108 artifacts documented so far are spread across:

EcosystemPurpose
npmJavaScript/Node.js packages targeting developers
PackagistPHP packages for web application developers
Go modulesGo ecosystem packages targeting backend developers
Chrome extensionsBrowser-based credential theft and surveillance

The breadth suggests a deliberate strategy to maximize reach across different developer communities rather than focusing on a single high-value target ecosystem.

Connection to Contagious Interview

Contagious Interview is a long-running North Korean threat cluster known for targeting software developers through fake job interview processes. The typical modus operandi involves:

  1. Contacting developers via LinkedIn, GitHub, or freelance platforms with fake job opportunities
  2. Asking candidates to complete a "technical assessment" — often downloading and running a malicious repository
  3. Using the assessment process to deploy malware on the candidate's development machine

PolinRider extends this approach by poisoning the package ecosystems developers depend on. Rather than requiring a targeted lure, malicious packages can be discovered organically when developers search for legitimate functionality — a passive but scalable infection vector.

How the Malicious Packages Work

While specific technical indicators vary by package, the general pattern observed in Contagious Interview supply chain attacks involves:

  • Typosquatting or dependency confusion — Package names closely resemble popular legitimate packages or target internal package names
  • Legitimate functionality with hidden payloads — Packages often include real utility functions to avoid suspicion during code review
  • Post-install scripts — Malicious code executes during the npm install or equivalent installation step, before the developer has reviewed any source
  • Staged payloads — Initial infection downloads additional malware from command-and-control infrastructure, keeping the package itself smaller and less suspicious

For Chrome extensions, the attack surface shifts to browser sessions — targeting saved credentials, session cookies, and cryptocurrency wallets accessible from the browser.

Why This Campaign Is Significant

Scale: 108 artifacts across four ecosystems is notable. Most supply chain campaigns are caught after a handful of malicious packages are published. The volume here suggests either that detection is lagging or that the actors are publishing at a rate that outpaces removal.

Persistence: The campaign remains active. Unlike point-in-time incidents, PolinRider requires ongoing monitoring of all four targeted ecosystems.

North Korean objectives: Contagious Interview activity is believed to serve multiple North Korean state objectives simultaneously — cryptocurrency theft to fund the regime, intellectual property theft targeting technology companies, and potentially intelligence gathering on developers with access to sensitive systems.

Cross-ecosystem coverage: Most supply chain security tooling and monitoring is ecosystem-specific. An operation spanning npm, Packagist, Go, and Chrome simultaneously can exploit gaps between siloed security programs.

Protective Measures for Developers and Organizations

  1. Audit dependencies — Run dependency audits (npm audit, Dependabot, Snyk, or equivalent) regularly and review recent additions carefully.
  2. Verify package provenance — Check download counts, publish dates, maintainer reputation, and repository links before installing unfamiliar packages.
  3. Lock file discipline — Commit lock files (package-lock.json, go.sum, composer.lock) and review lock file diffs in pull requests to catch unexpected dependency changes.
  4. Chrome extension management — Enforce a managed extension allowlist via enterprise browser policy. Disable the ability for users to install arbitrary extensions.
  5. Sandboxed development environments — Run package installations in isolated environments (containers, VMs) to limit the blast radius of post-install script execution.
  6. Threat intelligence monitoring — Subscribe to feeds from npm Security, PyPI, and security researchers who track these campaigns. The Hacker News, BleepingComputer, and Phylum publish regular supply chain threat reports.

Sources

  • The Hacker News — North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
#North Korea#Supply Chain#npm#Chrome#Google#Threat Intelligence#The Hacker News

Related Articles

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...

4 min read

UNC1069 Social Engineering of Axios Maintainer Led to npm

The North Korean threat actor UNC1069 used a sophisticated, targeted social engineering campaign against the Axios npm package maintainer Jason Saayman to...

4 min read

Google Attributes Axios npm Supply Chain Attack to North

Google's Threat Intelligence Group has formally attributed the supply chain compromise of the popular Axios npm package to UNC1069, a financially...

6 min read
Back to all News