hacker-news · Crawled Jul 5, 2026
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
2 IoCs 1 Malware
Read original article ↗
AI Summary
North Korean threat actors associated with the Contagious Interview campaign have launched the PolinRider operation, distributing 108 malicious packages and browser extensions across npm, Packagist, Go, and Google Chrome. The attack targets developers in the cryptocurrency sector through social engineering, compromising maintainer accounts to inject obfuscated JavaScript payloads into legitimate repositories. These payloads deliver second-stage malware such as DEV#POPPER RAT and OmniStealer by leveraging blockchain infrastructure and malicious VS Code task files, while using Git history manipulation to evade detection.
AI-extracted · verify before operational use
Extracted Entities 1 found
Indicators of Compromise 2 extracted
MITRE ATT&CK TTPs 17 techniques
T1003 OS Credential Dumping · Credential Access T1005 Data from Local System · Collection T1027 Obfuscated Files or Information · Defense Evasion T1056.001 Keylogging · Collection T1056.002 GUI Input Capture · Collection T1059.001 PowerShell · Execution T1059.007 JavaScript · Execution T1071 Application Layer Protocol · Command And Control T1071.001 Web Protocols · Command And Control T1071.003 Mail Protocols · Command And Control T1082 System Information Discovery · Discovery T1114 Email Collection · Collection T1195.002 Compromise Software Supply Chain · Initial Access T1482 Domain Trust Discovery · Discovery T1490 Inhibit System Recovery · Impact T1555 Credentials from Password Stores · Credential Access T1566 Phishing · Initial Access