
NORTH Korean hackers tied to the Contagious Interview cluster have expanded the PolinRider supply chain operation, flooding npm, Packagist and Chrome extension repositories with tainted code according to Socket researchers. The campaign, first spotted in December 2025, now spans 108 packages that contain 162 malicious artefacts, putting developer credentials and source code at immediate risk.
Investigators found that the malicious payloads are concealed in seemingly innocent configuration files where a JavaScript loader is injected, and in some cases the code is disguised as a .woff2 font file to bypass casual inspection as detailed in the same analysis. This technique allows the payload to execute during routine build steps without raising alarms.
Once executed, the loader drops a remote access trojan labelled DEV#POPPER and an information stealer known as OmniStealer, which harvest session tokens, SSH keys, GPG credentials and any source code present in the compromised workspace. The stolen data is then exfiltrated to attacker‑controlled endpoints, giving the operators persistent access to development infrastructures.
The operation relies on hijacked GitHub repositories, where threat actors rewrite commit histories and employ obfuscation to hide malicious changes as reported by SecurityWeek. Since its inception, the campaign has remained active, adapting its tactics to target multiple language ecosystems and continuous integration pipelines.
Security teams should treat any system that has pulled the affected packages as compromised, immediately remove the malicious dependencies, rebuild the project from a clean baseline and rotate all secrets including API keys, database passwords and SSH keys used in build environments. Reviewing audit logs for unexpected network connections can also help identify early signs of exfiltration.
To limit future risk, organisations should enforce signed commits, verify provenance of third‑party components with software composition analysis tools and maintain immutable locks on dependency versions. Regularly scanning for unusual file types such as .woff2 files that contain executable code can also catch similar supply chain tricks before they reach production.