PolinRider: DPRK Supply Chain Offensive Targeting npm, Claude Code, and GitHub CLI
North Korean state-sponsored actors, associated with the PolinRider operation and Contagious Interview campaign, are executing a multi-vector supply chain offensive targeting the developer ecosystem. By compromising GitHub maintainer accounts and utilizing package impersonation, the actors injected malicious code into npm, Packagist, and Go ecosystems. The campaign specifically targets modern toolchains, including Claude Code and GitHub CLI, to deploy Windows Remote Access Trojans (RATs), Linux native C rootkits, and credential stealers aimed at SSH keys and developer tokens. With over 108 unique malicious packages and extensions identified, the operation seeks persistent high-level access to DevOps environments and AI-assisted coding workflows.
Lazarus Group's Brandjacking Campaign targeting the npm Ecosystem
The Lazarus Group has shifted from traditional typosquatting to "brandjacking" within the npm ecosystem, deploying multi-stage droppers disguised as utilities for popular libraries like React, Buffer, and Chai. These malicious packages execute Base64-encoded strings to fetch a second-stage Node.js backdoor from jsonkeeper.com, which subsequently connects to a C2 server (45.59.163.198:1244) to deploy a final payload (f.js) into the ~/.vscode directory. By utilizing npm install --silent for dependency resolution, the attackers establish persistent remote code execution (RCE) on developer workstations, posing a critical risk to CI/CD pipelines and source code repositories.