North Korean hackers are targeting open source software developers with a backdoor and an information stealer as part of a broad supply chain campaign, Socket reports.
Referred to as PolinRider, the campaign has been ongoing since December 2025, using compromised GitHub repositories injected with JavaScript loaders leading to the DEV#POPPER remote access trojan (RAT) and the OmniStealer information stealer.
Associated with the broader Contagious Interview operation, which includes tactics also seen in the DeceptiveDevelopment, Operation Dream Job, and ClickFake Interview campaigns, PolinRider is targeting developers across NPM, Packagist, Go modules, and Chrome extensions.
To date, Socket has identified 162 malicious release artifacts across 108 unique packages, with more expected to emerge as the campaign continues.
As part of the attacks, the threat actor compromises maintainer accounts to tamper with legitimate repositories and push infected packages. Additionally, the attackers rely on Git history rewriting to make the malicious changes appear older.
The compromised repositories contain obfuscated JavaScript loaders that connect to the blockchain and public remote procedure call (RPC) infrastructure to retrieve encrypted payloads.
Among the incidents associated with PolinRider, Socket identified the compromise of Xpos587, a GitHub account that maintains several repositories that were modified on June 23 during a small timeframe.
Recently, the campaign expanded to Packagist, where multiple packages under the sevenspan namespace were compromised. The attackers hid the malicious loaders in configuration files that were not identified during the cleanup operation.
“Teams that installed any affected package or extension version should treat the installation environment as potentially compromised until reviewed. Because PolinRider targets developer environments and may expose package registry, source code, cloud, and CI/CD credentials, remediation should be performed from a clean machine, not from the potentially infected host,” Socket notes.
Related: North Korean Hackers Blamed for Mastra NPM Supply Chain Attack
Related: North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks
Related: $290 Million Kelp DAO Crypto Heist Blamed on North Korea
Related: North Korean Hackers Target High-Profile Node.js Maintainers

