Security researchers have identified an ongoing supply chain campaign attributed to North Korean threat actors, in which 108 unique malicious packages and web browser extensions have been distributed across npm, Packagist, Go, and the Google Chrome extension store. The activity has been designated PolinRider and is linked to the same cluster responsible for the previously documented Contagious Interview operation.

Scope and Distribution

The 108 packages span four distinct software ecosystems, indicating a deliberate effort to maximize developer exposure across different technology stacks. By targeting npm (JavaScript), Packagist (PHP), Go modules, and Chrome browser extensions, the actors are casting a wide net across both frontend and backend development communities.

Researchers note that the campaign remains active and that additional malicious packages are likely to emerge. One mechanism driving continued propagation is the compromise of legitimate maintainer accounts, which allows adversaries to inject malicious code into projects that already carry community trust.

Context: Contagious Interview Lineage

The Contagious Interview campaign has a documented history of targeting software developers, typically through fake job interview lures that trick candidates into running malicious code on their own machines. PolinRider appears to extend this tradecraft into the open-source supply chain, shifting from direct social engineering to passive poisoning of package repositories that developers pull into their projects.

Recommendations

  • Audit dependencies for recently published or updated packages from unfamiliar maintainers, particularly in npm and Go ecosystems.
  • Review installed Chrome extensions for any additions that were not explicitly authorized by your organization.
  • Enable multi-factor authentication on package registry maintainer accounts to reduce the risk of account compromise.
  • Monitor build pipelines for unexpected network connections or post-install scripts that execute binaries.

The breadth of the PolinRider campaign underscores the persistent threat North Korean actors pose to developer toolchains. Organizations with active software development should treat dependency hygiene as a frontline security control, not an afterthought.