Executive Summary
The PolinRider campaign represents a significant escalation in supply chain attacks orchestrated by North Korean threat actors, specifically those associated with the Lazarus Group and APT37. In this campaign, adversaries have published at least 108 malicious packages and browser extensions across major open-source ecosystems, including npm, Packagist, Go modules, and the Chrome Web Store. The attackers leveraged sophisticated techniques to compromise legitimate developer accounts and repositories, injecting highly obfuscated malware loaders into widely used packages. These loaders are designed to evade detection, establish covert command-and-control (C2) channels, and deploy multi-stage payloads capable of credential theft, source code exfiltration, and further lateral movement. The campaign is ongoing, with new malicious artifacts surfacing regularly, posing a critical risk to organizations and individuals relying on open-source software for development and production environments.
Threat Actor Profile
The PolinRider campaign has been attributed to North Korean state-sponsored actors, primarily the Lazarus Group (also known as Famous Chollima) and APT37 (also known as Reaper or ScarCruft). These groups are known for their advanced persistent threat (APT) operations targeting financial institutions, cryptocurrency exchanges, and software supply chains globally. Their modus operandi includes leveraging social engineering, spear-phishing, and exploiting trust relationships within the open-source community to gain initial access. The actors demonstrate a high level of operational security, frequently rotating infrastructure, using blockchain-based C2 channels, and employing anti-forensic techniques such as history rewriting and anti-dated commits to obscure their activities. The campaign’s scale and technical sophistication underscore the strategic intent to compromise developer environments and CI/CD pipelines, enabling downstream attacks on a broad spectrum of organizations.
Technical Analysis of Malware/TTPs
The PolinRider campaign employs a multi-stage attack chain, beginning with the compromise of maintainer accounts on platforms such as GitHub, npm, and Packagist. Initial access is often achieved through credential theft, expired domain takeovers, or abuse of account recovery mechanisms. Once access is obtained, the attackers rapidly modify multiple repositories, often using force-pushes and anti-dated commits to conceal the introduction of malicious code.
The primary infection vector is the insertion of obfuscated JavaScript loaders into legitimate repositories. These loaders are strategically hidden in configuration files such as vite.config.js, eslint.config.js, and .vscode/tasks.json, as well as in fake asset files like .woff2 fonts. The obfuscation techniques include excessive whitespace padding, single-line payloads, and encoding to evade static analysis.
Upon execution, the loader establishes outbound connections to public blockchain RPC endpoints, including TRON, Aptos, and BNB Smart Chain. These endpoints are used to retrieve encrypted second-stage payloads, which are decrypted in-memory using embedded XOR keys and executed via the eval() function. The decrypted payloads, such as DEV#POPPER and OmniStealer, possess capabilities for arbitrary command execution, credential harvesting, browser data exfiltration, cryptocurrency wallet theft, and C2 communication using the socket.io-client library.
The campaign’s loader-based architecture allows for rapid swapping of second-stage malware, enabling the threat actors to adapt quickly to detection and takedown efforts. The use of blockchain infrastructure for payload delivery further complicates attribution and remediation, as it provides a resilient and decentralized channel for distributing malicious code.
Exploitation in the Wild
Active exploitation of the PolinRider campaign has been observed across multiple open-source ecosystems. Malicious packages have been published and, in some cases, integrated into legitimate projects, resulting in downstream infections. Notable examples include compromised npm packages such as tailwindcss-style-animate, tailwind-mainanimation, and tailwind-autoanimation, as well as Go modules and PHP packages under the sevenspan namespace on Packagist.
Victims include individual developers, open-source projects, and organizations with automated CI/CD pipelines that ingest dependencies from public registries. The attackers have also targeted browser extension users via malicious Chrome extensions. Infected environments have exhibited signs of credential theft, unauthorized access to source code repositories, and exfiltration of sensitive data. The campaign’s ongoing nature, with new packages and extensions appearing weekly, highlights the persistent threat to the software supply chain.
Victimology and Targeting
The PolinRider campaign exhibits a broad targeting profile, with a primary focus on the software development, cryptocurrency, and open-source supply chain sectors. Victims span the globe, with heightened activity observed in organizations and individuals active on GitHub, npm, Packagist, and the Chrome Web Store. The attackers prioritize projects with high downstream impact, aiming to maximize the reach of their malicious payloads through transitive dependencies and automated build systems. Notably, CI/CD environments are at elevated risk due to their reliance on automated dependency resolution and the potential for lateral movement within organizational networks. The campaign’s victimology underscores the importance of rigorous supply chain security practices and continuous monitoring of third-party dependencies.
Mitigation and Countermeasures
Organizations and individuals are strongly advised to treat any environment where affected packages or extensions were installed as potentially compromised. Immediate actions should include preserving forensic artifacts prior to remediation, rebuilding environments from known-good lockfiles, and rotating all secrets (including npm, GitHub, cloud, and CI/CD credentials) from a clean, uncompromised machine. Security teams should audit for suspicious VS Code tasks configured to execute on folder open, unexpected execution of .woff2 files with Node.js, and unauthorized modifications to configuration files.
Detection efforts should focus on monitoring outbound connections to blockchain RPC endpoints from developer environments, searching for obfuscated JavaScript in configuration and asset files, and reviewing GitHub activity logs for force-pushes and anti-dated commits. The use of tools such as the Socket.dev PolinRider Tracker and the polinrider-scanner.sh script is recommended for up-to-date indicators of compromise and automated scanning of repositories.
Long-term countermeasures include implementing strict dependency management policies, leveraging software composition analysis (SCA) tools, enforcing multi-factor authentication (MFA) on all developer accounts, and conducting regular security awareness training. Organizations should also consider isolating build environments, restricting outbound network access from CI/CD systems, and participating in coordinated vulnerability disclosure programs to enhance supply chain resilience.
References
Socket.dev: PolinRider Campaign Analysis Socket.dev: Live PolinRider IOC Tracker The Hacker News: North Korean Hackers Publish 108 Malicious Packages OpenSourceMalware/PolinRider: Full CSV of affected repos MITRE ATT&CK: APT37 MITRE ATT&CK: Lazarus Group
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the integrity of critical business operations. For more information about how Rescana can help safeguard your organization, please contact us at info@rescana.com.



