{"id":4527,"date":"2026-07-08T14:52:24","date_gmt":"2026-07-08T14:52:24","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/08\/north-korea-expands-the-reach-of-polinrider-supply-chain-attack-campaign\/"},"modified":"2026-07-08T14:52:24","modified_gmt":"2026-07-08T14:52:24","slug":"north-korea-expands-the-reach-of-polinrider-supply-chain-attack-campaign","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/08\/north-korea-expands-the-reach-of-polinrider-supply-chain-attack-campaign\/","title":{"rendered":"North Korea Expands the Reach of PolinRider Supply Chain Attack Campaign"},"content":{"rendered":"<div><img data-opt-id=432437424  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/07\/polinrider_supply_chain_770x330.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"\" \/><\/div>\n<p><img data-opt-id=2105539515  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/07\/polinrider_supply_chain_770x330-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"\" \/><\/p>\n<p>The North Korean-sponsored threat groups behind the long-running fake interview scams targeting developers are expanding the PolinRider supply chain campaign that has escalated over the past several months.<\/p>\n<p>Reports from cybersecurity vendors Socket and Rescana found that two groups linked to the Democratic People\u2019s Republic of Korea (DPRK) have published at least 108 malicious packages and browser extensions across a range of open source ecosystems, from npm and Packagist to Go modules and Google\u2019s Chrome Store.<\/p>\n<p>The attackers aim to compromise legitimate developer accounts and repositories by <a href=\"https:\/\/www.rescana.com\/post\/active-exploitation-alert-north-korean-polinrider-supply-chain-attack-targets-npm-packagist-go-modules-and-chrome-extens\" target=\"_blank\" rel=\"noopener\">placing malware loaders into popular packages<\/a> that establish command-and-control (C2) systems and then deploy payloads designed to steal credentials and exfiltrate source code, as well as move laterally throughout a developer\u2019s environment, according to Rescana researchers.<\/p>\n<p>\u201cThe campaign is ongoing, with new malicious artifacts surfacing regularly, posing a critical risk to organizations and individuals relying on open-source software for development and production environments,\u201d the researchers wrote.<\/p>\n<h3>Famous Chollima and APT37<\/h3>\n<p>The PolinRider campaign is attributed to Famous Chollima \u2013 the North Korean nation-state actor that appears to be a subset of the DPRK\u2019s <a href=\"https:\/\/securityboulevard.com\/2025\/02\/north-koreas-lazarus-group-hacks-bybit-steals-1-5-billion-in-crypto\/\" target=\"_blank\" rel=\"noopener\">high-profile Lazarus Group<\/a> and is linked to the complex <a href=\"https:\/\/securityboulevard.com\/2025\/04\/north-korean-group-creates-fake-crypto-firms-in-job-complex-scam\/?__hstc=48761529.62562598e66181ffaa14612382b677c7.1756476334428.1783458056942.1783509800535.78&amp;__hssc=48761529.4.1783509800535&amp;__hsfp=ac0ef8ecc1e49e7d14dd897150b73271\" target=\"_blank\" rel=\"noopener\">Contagious Interview scam<\/a> \u2013 and APT37, also known as Reaper or ScarCruft.<\/p>\n<p>In the Contagious Interview campaign \u2013 which dates back at least three years \u2013 Famous Chollima targets software developers and those working in crypto by using fake job advertisements on sites like LinkedIn and GitHub and interviews to trick victims into installing malware onto their systems and running malicious code. The malware variants used in the campaign include BeaverTail, InvisibleFerret, and OtterCookie.<\/p>\n<p>In the <a href=\"https:\/\/devops.com\/n-korean-famous-chollima-hackers-use-malicious-npm-packages-to-steal-data\/\" target=\"_blank\" rel=\"noopener\">ongoing<\/a> PolinRider campaign, the steps the groups take is consistent, according to Socket security researcher Karlo Zanki. The bad actors drop highly obfuscated JavaScript loaders into repositories and hide the code through various means, including whitespace padding \u2013 where attackers add hundreds or thousands of black spaces to push malicious payloads off-screen \u2013 or fake .woff2 font files, deceptive files that masquerade as legitimate Web Open Font Format (WOFF2) web assets that hide loaders or encrypted data.<\/p>\n<p>They use <a href=\"https:\/\/devops.com\/n-korea-contagious-interview-campaign-turns-to-vs-code-to-deliver-backdoor\/\" target=\"_blank\" rel=\"noopener\">developer tools like VS Code task files<\/a> to trigger the execution of the malware and Git history rewriting to make malicious changes to code seem older and, therefore, less suspicious.<\/p>\n<p>\u201cThis makes the GitHub landing page and visible commit history <a href=\"https:\/\/socket.dev\/blog\/polinrider-north-korea-linked-supply-chain-campaign-expands\" target=\"_blank\" rel=\"noopener\">unreliable indicators of compromise<\/a>; defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files,\u201d Zanki wrote in a report.<\/p>\n<h3>Second-Stage Payloads<\/h3>\n<p>The malware loader grabs next-stage payloads from blockchain and public Remote Procedure Call (RPC) infrastructure like TRON, Aptos, and BNB Smart Chain services. The payload, such as <a href=\"https:\/\/www.esentire.com\/blog\/north-korean-apt-malware-analysis-dev-popper-rat-and-omnistealer-everyday-im-shufflin\" target=\"_blank\" rel=\"noopener\">DEV#POPPER remote access trojan (RAT) and Python-based OmniStealer<\/a>, is decrypted with embedded XOR keys and executed.<\/p>\n<p>Zanki warned that because the malware is loader-based, the bad actors could use it to deliver other malicious code.<\/p>\n<p>The campaign is having far-reaching effects, according to Rescana. Malicious packages not only have been published, but some also have been integrated into legitimate projects that have led to infections downstream, a key goal of any supply chain attack. The researchers pointed to some npm packages \u2013 including tailwindcss-style-animate, tailwind-mainanimation, and tailwind-autoanimation \u2013 Go modules, and PHP packages within the sevenspan namespace on Packagist.<\/p>\n<p>Socket\u2019s Zanki pointed to the Xpos587 GitHub account as another example. Several repositories that are maintained by the account were modified at the same time on June 23, with the researcher noting that such a \u201csynchronized update pattern is unlikely to reflect normal maintainer activity and is consistent with account-level compromise followed by bulk repository modification.\u201d<\/p>\n<h3>Downstream Impacts<\/h3>\n<p>There have been a range of victims, including developers, open source projects, and companies with <a href=\"https:\/\/devops.com\/novee-uncovers-cordyceps-the-latest-threat-to-ci-cd-pipelines\/\" target=\"_blank\" rel=\"noopener\">automated CI\/CD pipelines<\/a> that use dependencies from public registries, with the damage being stolen credentials and other sensitive data and unauthorized access to source code repositories, according to Rescana.<\/p>\n<p>It\u2019s clear that the North Korean groups are aiming for their campaigns to reach deep downstream, hoping to rack up more victims via transitive dependencies and automated builds. Rescana researchers also noted that CI\/CD environments \u2013 which have become <a href=\"https:\/\/devops.com\/critical-microsoft-github-flaw-highlights-dangers-to-ci-cd-pipelines-tenable\/\" target=\"_blank\" rel=\"noopener\">attractive targets<\/a> of threat actors \u2013 are at a high risk from PolinRider because they rely so much on automated dependency resolution and given the level of lateral movement the bad actors can gain within an organization\u2019s networks.<\/p>\n<p>New malicious packages and extensions are emerging every week, illustrating the persistent threat PolinRider represents, Rescana wrote.<\/p>\n<p><a href=\"https:\/\/devops.com\/north-korea-expands-the-reach-of-polinrider-supply-chain-attack-campaign\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>The North Korean-sponsored threat groups behind the long-running fake interview scams targeting developers are expanding the PolinRider supply chain campaign [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4528,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4527","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4527"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4527\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4528"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}