A new North Korean threat has emerged that is targeting open-source projects, with supply chain firms the key target. According to researchers at security firm Socket, affected entities are at risk of losing “package registry, source code, cloud, and CI/CD credentials.”
The cyber campaign detailed by Socket is being referred to as PolinRider, and it has been active since at least December 2025. It’s been prolific in that time, with Socket identifying “162 malicious release artifacts across 108 packages and extensions in npm, Packagist, Go modules, and Chrome extensions.”
The attack centers on a JavaScript malware loader that links with blockchain and RPC frameworks to call down additional payloads onto the infected machine. These payloads include the DEV#POPPER Remote Access Trojan (RAT) and OmniStealer, a malware strain capable of exfiltrating user credentials, digital wallets, and more. Yet because PolinRider utilizes an embedded loader, Socket warned that the list of payloads could be expanded at will.
A key aspect of the attackers’ plan is to plant obfuscated JavaScript loaders inside legitimate GitHub repositories, obscuring their true purpose using whitespace padding or bogus .woff2 font files that push the malicious code off the user’s default screen width. They then hide their Git changes using history rewriting to make them appear older, — and thus less suspicious, — than they actually are.
So, what can you do?
Since the campaign is still active, Socket cautioned that “new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access.”
In other words, this threat isn’t going anywhere any time soon, meaning heightened awareness and robust security procedures are a must. If you’ve installed any of the affected packages, you need to “treat the installing environment as potentially compromised,” Socket explained.
Socket advised that “defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files.” Simply checking the project’s GitHub commit history isn’t enough given the campaign’s use of history rewriting to obscure changes cloaking tactics.
“Teams that installed affected package versions should treat the environment as compromised,” Socket noted. The organization added that users should “preserve forensic artifacts, rebuild from known-good lockfiles, rotate exposed secrets from a clean machine, and audit developer workstations and repositories for hidden execution paths.”