← Back to Daily Briefing

North Korean state-sponsored actors, associated with the PolinRider operation and Contagious Interview campaign, are executing a multi-vector supply chain offensive targeting the developer ecosystem. By compromising GitHub maintainer accounts and utilizing package impersonation, the actors injected malicious code into npm, Packagist, and Go ecosystems. The campaign specifically targets modern toolchains, including Claude Code and GitHub CLI, to deploy Windows Remote Access Trojans (RATs), Linux native C rootkits, and credential stealers aimed at SSH keys and developer tokens. With over 108 unique malicious packages and extensions identified, the operation seeks persistent high-level access to DevOps environments and AI-assisted coding workflows.

  • Incident Overview: Operation PolinRider

    • Attributed to North Korean state-sponsored threat actors linked to the "Contagious Interview" campaign.
    • Identified 108 unique malicious packages and browser extensions distributed across multiple registries.
    • Operation remains active, with threat actors continuously hijacking maintainer accounts to release infected versions.
  • Attack Vectors & Delivery Mechanics

    • Account Hijacking: Compromising legitimate GitHub maintainer accounts to publish malicious updates to trusted packages.
    • Ecosystem Poisoning: Utilizing impersonation and typosquatting across npm, Packagist, and Go package managers.
    • Browser-Based Vectors: Deployment of malicious Google Chrome extensions to facilitate initial access and data theft.
  • Technical Payload Analysis

    • Windows RAT: High-level Remote Access Trojans used for command execution and system control.
    • Linux C Rootkit: Deployment of native C-based rootkits to ensure stealthy, low-level persistence on developer machines.
    • Credential Exfiltration: Specialized stealers designed to target SSH keys and developer-specific authentication tokens.
  • Targeted Toolchains & Impact

    • AI-Assisted Coding: Specifically targeting Claude Code to intercept sensitive prompts, API keys, or source code.
    • CLI Tooling: Targeting GitHub CLI to gain unauthorized access to private repositories and CI/CD pipelines.
    • Demographic Focus: High-value targets include software developers, DevOps engineers, and AI practitioners.
  • Defensive Actions & Mitigation

    • Implement strict dependency pinning and utilize lockfiles (e.g., package-lock.json) to prevent automatic updates to compromised versions.
    • Mandate hardware-based MFA for all maintainer accounts and developer identities.
    • Conduct audits of installed browser extensions and monitor for anomalous outbound traffic to unknown C2 infrastructure.

Related posts

  1. techjacksolutions.com — Concurrent npm Supply Chain Campaigns Deliver Windows RAT, Linux Rootkit, and Developer Credential Stealers, One Cluster Linked to North Korean PolinRider Operation
  2. Osintsights
  3. Cybersecurity News — North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories
  4. Sonatype
  5. Daily
  6. Threats
  7. Developer-tech
  8. Ground
  9. Cyberpress
  10. feeds.feedburner.com — North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
  11. Bellatorcyber
  12. Github
  13. Threats
  14. Darkreading
  15. Podcasts
  16. Mallory
  17. Github
  18. Breached
  19. Youtube
  20. Socket
  21. Reddit
  22. Medium

LINK COPIED TO CLIPBOARD