www.securityweek.com 7/6/2026, 1:31:21 PM · external

North Korean hackers use PolinRider to hijack GitHub repos

North Korean hackers use PolinRider to hijack GitHub repos
CyberSIXT Evidence Panel
Primary Source socket.dev

NORTH Korean hackers are targeting open-source software developers through a campaign known as PolinRider, which has been active since December 2025. This campaign involves compromising GitHub repositories to inject malicious JavaScript loaders, leading to the installation of a remote access trojan (DEV#POPPER) and an information stealer (OmniStealer). So far, 162 malicious artifacts across 108 packages have been identified.

The attacks exploit legitimate repositories, utilizing obfuscation techniques and Git history rewriting to mask malicious activity. Victims are cautioned to treat their environments as compromised and perform clean installations from secure machines. The campaign is linked to broader North Korean operations targeting various development platforms.

View Primary Source Via www.securityweek.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline