North Korean Hackers Target Open-Source Devs With Hidden Malware That Steals Source Code And Credentials

New threat loads RATs and infostealers by cleverly concealing its presence inside compromised GitHub repositories.

Published on Jul 7, 2026
Alex Blake Written by Alex Blake
North Korean Hackers Target Open-Source Supply Chain Devs with Clandestine Malware

A new North Korean threat has emerged that is targeting open-source projects, with supply chain firms the key target. According to researchers at security firm Socket, affected entities are at risk of losing “package registry, source code, cloud, and CI/CD credentials.”

The cyber campaign detailed by Socket is being referred to as PolinRider, and it has been active since at least December 2025. It’s been prolific in that time, with Socket identifying “162 malicious release artifacts across 108 packages and extensions in npm, Packagist, Go modules, and Chrome extensions.”

The attack centers on a JavaScript malware loader that links with blockchain and RPC frameworks to call down additional payloads onto the infected machine. These payloads include the DEV#POPPER Remote Access Trojan (RAT) and OmniStealer, a malware strain capable of exfiltrating user credentials, digital wallets, and more. Yet because PolinRider utilizes an embedded loader, Socket warned that the list of payloads could be expanded at will.

A key aspect of the attackers’ plan is to plant obfuscated JavaScript loaders inside legitimate GitHub repositories, obscuring their true purpose using whitespace padding or bogus .woff2 font files that push the malicious code off the user’s default screen width. They then hide their Git changes using history rewriting to make them appear older, — and thus less suspicious, — than they actually are.

So, what can you do?

Since the campaign is still active, Socket cautioned that “new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access.”

In other words, this threat isn’t going anywhere any time soon, meaning heightened awareness and robust security procedures are a must. If you’ve installed any of the affected packages, you need to “treat the installing environment as potentially compromised,” Socket explained.

Socket advised that “defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files.” Simply checking the project’s GitHub commit history isn’t enough given the campaign’s use of history rewriting to obscure changes cloaking tactics.

“Teams that installed affected package versions should treat the environment as compromised,” Socket noted. The organization added that users should “preserve forensic artifacts, rebuild from known-good lockfiles, rotate exposed secrets from a clean machine, and audit developer workstations and repositories for hidden execution paths.”

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alex Blake
Alex Blake Journalist

Alex Blake is a freelance journalist who has been covering the tech world for over a decade. In that time he's interviewed Apple VPs, reviewed countless products and taken deep dives into the pressing issues of the day. You'll find his work at TechRadar, Macworld, PC Gamer, T3 and more.