North Korean PolinRider Campaign: 108 Malicious Packages Across npm, Packagist, Go, and Chrome — Active Supply Chain Attack

North Korean PolinRider Campaign: 108 Malicious Packages Across npm, Packagist, Go, and Chrome — Active Supply Chain Attack

Supply Chain Advisory: PolinRider Campaign | No CVE | Threat Actor: North Korean (Contagious Interview group) | Targets: npm, Packagist, Go modules, Chrome extensions | Status: Active


What Happened

North Korean threat actors linked to the Contagious Interview campaign have published 108 unique malicious packages and browser extensions across four ecosystems: 19 npm libraries, 10 Composer (Packagist) packages, 61 Go modules, and one Google Chrome extension. A total of 162 malicious release artifacts have been identified. The attackers are compromising maintainer accounts, modifying legitimate repositories, and publishing infected package versions. The campaign uses the established Contagious Interview tactic — targeting software developers through fake job recruitment and technical assessments that contain malicious packages.


Affected Ecosystems

  • npm (JavaScript): 19 malicious libraries
  • Packagist (PHP/Composer): 10 malicious packages
  • Go modules: 61 malicious modules
  • Google Chrome: 1 malicious extension

The packages use obfuscated JavaScript loaders and VS Code tasks to deliver malware. The campaign remains active and new packages are expected to continue appearing.


Exploited?

Yes — active campaign with confirmed compromise. Socket security researcher Karlo Zanki reports that the campaign remains active, with new malicious packages continuing to appear. The attackers have successfully compromised maintainer accounts and modified legitimate repositories. The wide ecosystem coverage (npm, Packagist, Go, Chrome) makes this one of the largest North Korean software supply chain operations disclosed this year.


Mitigation

  • Audit dependencies: Review all npm, Composer, and Go dependencies for packages matching known PolinRider indicators of compromise.
  • Minimum package age policy: Do not adopt newly published packages without a vetting period.
  • Verify maintainer integrity: Check if recently updated packages have had maintainer changes.
  • Use scanning tools: Deploy Socket, Snyk, npm audit, or similar tools to detect malicious packages.

Recommendations

  • Audit all registries: Check npm, Packagist, and Go module dependencies against the known IOC list.
  • Monitor for suspicious package updates: Unexpected version bumps or maintainer changes warrant investigation.
  • Implement registry hygiene: Use lockfiles, dependency pinning, and integrity verification.
  • Developer awareness: Warn development teams about the Contagious Interview recruitment tactic.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 6, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!