Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
Home/Threats/North Korean Hackers Conceal JavaScript Loaders in Open Source Repos
Threats

North Korean Hackers Conceal JavaScript Loaders in Open Source Repos

Key Takeaways North Korean threat actors are deploying malicious JavaScript loaders in a widespread supply chain attack dubbed “PolinRider.” The campaign has infected 162 release...

David kimber
David kimber
July 3, 2026 4 Min Read
2 0

Key Takeaways

  • North Korean threat actors are deploying malicious JavaScript loaders in a widespread supply chain attack dubbed “PolinRider.”
  • The campaign has infected 162 release artifacts across 108 unique packages and extensions, including Go modules, Packagist packages, and a Chrome extension.
  • Attackers use sophisticated methods to conceal payloads, including hiding obfuscated JavaScript in configuration files and disguising it as legitimate font files.
  • Compromised GitHub accounts are being used to inject malicious code and manipulate repository histories to evade detection.
  • The malware payloads, DEV#POPPER and OmniStealer, are capable of remote command execution and exfiltrating sensitive data like credentials, browser information, and cryptocurrency wallet details.

North Korea-Linked Hackers Conceal JavaScript Loaders in Open Source Repositories

A sophisticated new supply chain attack, identified as “PolinRider,” is actively targeting developers by embedding malicious JavaScript loaders within trusted open-source code repositories. This campaign, attributed to North Korean threat actors, represents a significant expansion of their tactics, moving beyond traditional phishing to directly compromise the software supply chain.

Table Of Content

  • Key Takeaways
  • North Korea-Linked Hackers Conceal JavaScript Loaders in Open Source Repositories
  • Evasive Tactics and Payload Delivery
  • Account Compromise and Repository Manipulation
  • What You Should Do

Security researchers have linked PolinRider to North Korean groups known as Contagious Interview and Famous Chollima. These entities have a history of targeting software engineers with deceptive job offers and compromised coding challenges. PolinRider appears to be an evolution of this strategy, now leveraging seemingly legitimate packages to deliver its malicious payloads.

The scope of PolinRider is particularly alarming due to its multi-ecosystem reach. Initially observed on npm, the campaign has since infiltrated Packagist, Go modules, and even a Chrome extension, indicating a broad and adaptable attack strategy. This versatility allows the attackers to exploit a wider array of development environments.

Socket.dev said in a report that their analysis uncovered 162 malicious release artifacts distributed across 108 unique packages and extensions. This includes 80 compromised Go modules, 10 Packagist packages, and one Chrome extension. The sheer volume and diversity of compromised assets highlight the significant threat this campaign poses to the open-source community.

The insidious nature of PolinRider lies in its ability to blend malicious code seamlessly into legitimate files, making detection difficult for developers. Many may have inadvertently installed or executed compromised packages without any indication of a security breach.

Evasive Tactics and Payload Delivery

The attackers behind PolinRider employ a combination of established and novel techniques to maintain stealth. Early iterations of the campaign involved burying obfuscated JavaScript within common configuration files, such as those ending in config.js. This method relies on developers typically not scrutinizing every line of configuration code.

More recently, the threat actors have advanced their obfuscation by disguising malicious scripts as fake .woff2 font files. This file format is highly unlikely to be inspected by developers, providing an effective cover for the hidden payload. The execution of these scripts is triggered through Visual Studio Code task files, which can be configured to run automatically when a project folder is opened, ensuring silent activation.

Once activated, the loader establishes connections to various blockchain and public RPC services, including TRON, Aptos, and BNB Smart Chain networks. These connections are leveraged to retrieve an encrypted second-stage payload. The payload is then decrypted using an embedded XOR key and executed via the eval function, a common technique for dynamic code execution.

Analysis of the retrieved payloads reveals the deployment of malware such as DEV#POPPER and OmniStealer. Both are potent information stealers and remote access tools. They communicate with attacker-controlled servers using socket.io-client and are designed to exfiltrate sensitive data, including user credentials, browser data, and cryptocurrency wallet information.

Account Compromise and Repository Manipulation

A critical component of the PolinRider campaign involves the compromise of developer accounts and subsequent manipulation of repositories. For instance, a GitHub account named Xpos587 showed suspicious activity on June 23 at 10:00 UTC, where multiple repositories linked to it were modified within a short timeframe. This synchronized activity strongly suggests an account takeover rather than routine maintenance.

Specific repositories associated with the Xpos587 account, including Xpos587/git2md and Xpos587/markfetch, were found to contain the hidden JavaScript loader. Another independent project, Artiffusion-Inc/mirofish, was also compromised. While markfetch utilized the fake font file trick, mirofish concealed its payload within a vite.config.js file.

On Packagist, the campaign expanded under the sevenspan namespace, associated with the 7span organization. The 7span/react-list package was identified among those affected. Although maintainers removed the fake font files upon discovery, obfuscated code embedded in configuration files often remained, underscoring that partial remediation is insufficient.

The attackers further sophisticated their evasion tactics by manipulating Git history, employing force pushes and backdated commits to make tampered code appear older and more legitimate than it truly is. This technique means that relying solely on visible commit history on platforms like GitHub is unreliable. Defenders must review direct activity logs for a complete and accurate picture of repository changes.

What You Should Do

  • Assume compromise: Any environment that has run an affected package should be treated as compromised until a thorough investigation proves otherwise.
  • Preserve forensic evidence: Before remediation, ensure all relevant logs and system states are captured for forensic analysis.
  • Rebuild from trusted sources: Rebuild development environments and applications from known good lockfiles or clean backups.
  • Rotate secrets: Immediately rotate all exposed credentials, API keys, and other secrets from a clean, uninfected machine.
  • Audit VS Code tasks: Review all Visual Studio Code task files (e.g., .vscode/tasks.json) for any tasks configured with "runOn": "folderOpen" that could trigger malicious scripts.
  • Inspect repository changes: Scrutinize repository activity logs for suspicious modifications to critical files like tasks.json, config.js, and vite.config.js, paying close attention to force pushes or backdated commits.
  • Implement supply chain security tools: Utilize tools that scan for malicious packages and detect anomalies in dependencies.
  • Educate developers: Reinforce best practices for validating the authenticity and integrity of open-source packages before integration.

Indicators of Compromise (IoCs):-

Type Indicator Description
GitHub Account Xpos587 Threat actor controlled account linked to bulk repository modification on June 23, 10:00 UTC
GitHub Repository Xpos587/git2md Repository compromised as part of the PolinRider campaign <a rel="noreferrer noopener" target="_blank" href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/90091dfb-7fba-401d-914a-123f76c7b884/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

AI Used in Ticketmaster Attack to Score Free Tickets

Next Post

Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us