What's Happening?
North Korean hackers have launched a campaign targeting open source software developers, using a backdoor and an information stealer as part of a supply chain attack. The campaign, known as PolinRider, has been active since December 2025 and involves
compromised GitHub repositories with JavaScript loaders leading to the DEV#POPPER remote access trojan and the OmniStealer information stealer. The attackers have targeted developers across platforms such as NPM, Packagist, Go modules, and Chrome extensions. To date, 162 malicious release artifacts have been identified across 108 unique packages. The attackers compromise maintainer accounts to tamper with legitimate repositories and use Git history rewriting to disguise the malicious changes. The compromised repositories contain obfuscated JavaScript loaders that connect to blockchain and public RPC infrastructure to retrieve encrypted payloads.
Why It's Important?
This campaign highlights the growing threat of supply chain attacks, which can have widespread implications for software security. By targeting open source developers, the attackers can potentially compromise a vast array of software projects, leading to significant security breaches. The use of sophisticated techniques such as Git history rewriting and blockchain connections indicates a high level of expertise and resources, suggesting state-sponsored involvement. This poses a significant risk to the integrity of open source software, which is widely used in various industries, including critical infrastructure. Organizations relying on open source software must enhance their security measures to detect and mitigate such threats.
What's Next?
As the campaign continues, more malicious packages are expected to emerge. Organizations using affected packages should conduct thorough reviews of their installation environments and consider remediation from clean machines. The cybersecurity community will likely increase efforts to identify and neutralize such threats, while developers and maintainers of open source projects may need to implement stricter security protocols to protect their repositories. Additionally, there may be increased collaboration between governments and the tech industry to address the threat posed by state-sponsored cyber attacks.















