The North Korean linked threat activity tracked as PolinRider has expanded into one of the most widespread supply chain abuse operations seen in recent months, with researchers identifying 108 unique malicious packages and browser extensions distributed across npm, Packagist, Go modules, and Google Chrome extensions. Security analysts report that the campaign remains active and continues to evolve, with new infected packages expected as attackers compromise maintainer accounts, modify legitimate repositories, and publish malicious versions where registry access is available or newly obtained. The operation is tied to the broader Contagious Interview campaign, which has been targeting developers and cryptocurrency professionals through recruitment themed social engineering designed to trigger execution of malicious code during fake assessments or interviews.
According to analysis published by Socket, the campaign includes 162 malicious release artifacts mapped across 108 distinct packages and extensions, including 19 npm libraries, 10 Composer packages, 61 Go modules, and a Chrome extension. The Contagious Interview framework behind it has been active since at least 2023, with attackers impersonating recruiters or collaborators on platforms such as LinkedIn, GitHub, and freelance marketplaces. These personas are often supported by fabricated companies and AI generated employee profiles to increase credibility. Once trust is established, targets are guided into running code that silently installs malware. PolinRider was first identified in March 2026 by the OpenSourceMalware team, which observed obfuscated JavaScript payloads injected into public GitHub repositories owned by multiple users, delivering variants of BeaverTail malware associated with earlier Contagious Interview operations.
By April 11, 2026, the campaign had already impacted 1,951 public GitHub repositories tied to 1,047 unique owners, with further expansion through a related cluster known as TaskJacker. This cluster introduces malicious Visual Studio Code task files into existing repositories, configured to execute automatically using the runOn folderOpen setting inside development environments such as VS Code or Cursor. Security researchers noted that attackers are not relying on stolen GitHub credentials, but instead achieving compromise through malicious VS Code extensions or npm packages. In some cases, maintainer accounts are believed to have been taken over through expired domain recovery paths or similar account restoration mechanisms, allowing attackers to push malicious updates while maintaining the appearance of legitimate repository activity. Once active, the malware scans developer systems for configuration files including postcss.config.mjs, tailwind.config.js, eslint.config.mjs, next.config.mjs, babel.config.js, and app.js, and appends malicious JavaScript directly into them.
Further technical analysis shows the campaign uses Windows batch scripts to alter commit timestamps and disguise malicious changes as legitimate developer activity, while similar techniques are suspected on Linux and macOS environments to rewrite Git history. Socket researchers noted that the core methodology remains consistent across all clusters, involving obfuscated JavaScript loaders hidden in legitimate repositories, concealment through whitespace padding or fake .woff2 font files, and execution triggered via developer tooling such as VS Code task automation. In the latest iterations, payloads act as loaders that communicate with blockchain infrastructure including TRON, Aptos, and BNB Smart Chain to retrieve encrypted second stage payloads. These ultimately deploy DEV#POPPER RAT and OmniStealer, malware families previously analyzed by eSentire in March 2026.
Researchers warn that Git history manipulation, including force pushes and anti dated commits, makes repository timelines unreliable indicators of compromise. Instead, defenders are advised to focus on repository activity logs, package metadata, VS Code task configurations, and unexpected changes in configuration files such as .vscode/tasks.json, config.js, vite.config.js, and eslint.config.js. The campaign overlaps with other Contagious Interview related clusters identified by JFrog, including npm packages impersonating Rollup polyfill tools for remote access and data theft, as well as Go packages and npm modules embedding VS Code auto run tasks and fake font file payloads. Security guidance emphasizes that environments exposed to these packages should be treated as compromised, requiring secret rotation from clean systems, removal of affected dependencies, rebuilds from trusted lockfiles, and full audits of developer workstations for hidden execution paths or unauthorized commit manipulation.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





