32m ago · socket-dev
PolinRider is a North Korea-linked supply chain campaign targeting developer ecosystems, including npm, Packagist, Go modules, and Chrome extensions. The threat actors compromise maintainer accounts, modify legitimate repositories with obfuscated JavaScript loaders, and use Git history rewriting to conceal malicious changes. These loaders retrieve encrypted second-stage payloads from blockchain infrastructure, execute them via eval(), and have delivered malware such as DEV#POPPER and OmniStealer. The campaign remains active, with ongoing compromises across multiple open source platforms.