North Korean Supply Chain Assault: PolinRider Campaign Distributes 108 Malicious Packages Across npm, Packagist, Go, and Chrome Store
North Korean threat actors linked to Contagious Interview have published 108 malicious packages and browser extensions across major package repositories and the Chrome Web Store, compromising maintainer accounts to maintain campaign continuity.
Affected
The PolinRider campaign represents a sophisticated supply chain operation by North Korean threat actors previously attributed to the Contagious Interview campaign. The distribution of 108 unique packages across four distinct package ecosystems in a single coordinated push indicates resourced, deliberate targeting of multiple developer communities rather than opportunistic malware placement. The breadth suggests either the compromise of multiple high-reputation maintainer accounts or the creation of new accounts with sufficient reputation to evade initial filtering.
The multi-ecosystem approach is operationally significant: npm and Packagist reach millions of web developers globally, while Go packages target infrastructure and cloud-native development. The inclusion of Chrome extensions extends reach into browser environments where detection may be weaker than traditional endpoint security. By compromising maintainer accounts, threat actors bypass initial publication reviews and inherit existing trust signals, download counts, stars, and historical clean reputations, that defenders and automated tooling rely upon to prioritise investigation.
Defenders face a structural problem: package repositories operate with trust models designed for open collaboration rather than adversarial environments. Identifying which of the 108 packages are malicious requires manual analysis or heuristic detection, creating a triage burden. The fact that the campaign remains active and new packages are expected suggests that rate-limiting or account takeover remediation is either insufficient or that actors maintain multiple compromised accounts. Repository operators have limited ability to retroactively identify which packages were trojanised versus legitimately uploaded by the true maintainer.
Organisations should assume that if they depend on packages from affected repositories published during the campaign window, they may have ingested malware. Incident response should prioritise: identifying which dependencies were updated or newly introduced within the campaign timeframe, checking whether install hooks or package scripts contain suspicious code, and auditing runtime behaviour of affected services. Package managers should implement mandatory code review workflows for high-dependency packages and consider rate-limiting or requiring additional authentication for sensitive operations by established maintainers.
This campaign validates the supply chain attack vector as operationally viable for state actors. The scale and coordination suggest that PolinRider is not a single campaign but an ongoing capability, and defenders should expect continued attempts to distribute malware through this channel as defenders improve perimeter security and threat actors seek persistence through trusted infrastructure.
Sources