← Back to blog

North Korean Hackers Deploy 108 Malicious Packages in PolinRider Campaign

State-sponsored threat actors are actively compromising maintainer accounts to distribute malware via popular package repositories and browser extensions. Security teams should review dependencies and monitor for suspicious updates.

TL;DR

  • North Korean APT linked to Contagious Interview published 108 malicious packages/extensions
  • Targets include npm, Packagist, Go modules, and Chrome Web Store
  • Attack method relies on compromised maintainer accounts
  • Campaign is ongoing with new packages expected
  • Organizations should audit third-party dependencies and enforce supply chain security

Threat actors affiliated with North Korea have launched a widespread software supply chain attack by publishing 108 distinct malicious packages and browser extensions. These artifacts were distributed through major developer ecosystems including npm, Packagist, Go module repositories, and the Google Chrome Web Store.

The campaign, tracked as PolinRider, represents a significant escalation in the group's tactics. Rather than directly targeting end users, attackers are compromising legitimate maintainer accounts to inject malware into trusted software distributions. This approach allows them to bypass traditional security controls and potentially reach a wide audience of developers and organizations.

Attack Vector and Targets

  • Attackers compromise existing maintainer accounts rather than creating new ones
  • Malicious packages published across multiple languages and platforms: JavaScript (npm), PHP (Packagist), Go modules, and Chrome extensions
  • Each package contains unique payloads suggesting tailored objectives
  • Compromised accounts may still appear legitimate to automated security tools

Security Recommendations

  • Audit all third-party dependencies for unusual updates or new maintainers
  • Implement multi-factor authentication and access controls for package maintainers
  • Monitor package repositories for suspicious activity using automated detection tools
  • Establish incident response procedures for compromised open-source projects
  • Consider pinning dependency versions and using software composition analysis tools

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

North Korean Hackers Deploy 108 Malicious Packages in PolinRider Campaign — Agent Breach Blog | Agent Breach