North Korean Hackers Seed 108 Malicious Packages Across npm, Go, Packagist, and Chrome
What Happened
Researchers have identified 108 malicious packages and browser extensions planted across npm, Packagist, Go modules, and the Google Chrome Web Store as part of an ongoing supply chain campaign dubbed PolinRider, attributed to the North Korean Contagious Interview threat cluster. The Hacker News has the full breakdown, noting the campaign "remains active" — meaning new packages may still be appearing.
Contagious Interview is the same group behind years of fake job-interview attacks targeting software developers. PolinRider appears to be an evolution of that playbook: instead of tricking individual developers into running a malicious repo during a staged interview, they are seeding poisoned packages into the registries that developers pull from automatically every day.
Why It Matters
Supply chain injection through public registries is one of the highest-leverage attack vectors available to a nation-state actor. A single npm install, go get, or composer require resolving to one of these packages is enough to execute arbitrary code on a developer workstation — and from there the blast radius is severe: CI/CD runner credentials, cloud provider keys stored in environment variables, SSH agents, browser-stored tokens, and any secrets accessible to the shell.
Chrome extensions amplify the risk further. Extensions approved into the Web Store run with broad host permissions and can silently intercept OAuth flows, harvest session cookies, and exfiltrate tokens from tools like GitHub, AWS Console, Okta, and internal dashboards — all without triggering endpoint alerts. A malicious extension that survives auto-update cycles can maintain persistent access long after the initial install.
The breadth of this campaign — four separate ecosystems in one coordinated push — signals a deliberate attempt to maximize the probability of landing in at least one dependency tree per targeted developer.
What To Do Right Now
- Audit your lockfiles. Pull the full list of affected package names from the Hacker News coverage and cross-reference your
package-lock.json,go.sum, andcomposer.lock. Don't rely onnpm lsalone — check transitive deps.
- Review installed Chrome extensions. Go to
chrome://extensions, enable Developer Mode, and audit anything installed in the last 30–60 days. Remove any extension you cannot attribute to a known, trusted source. Pay particular attention to productivity, API testing, or developer-focused extensions.
- Check your CI/CD pipelines. Any runner that resolves packages at build time is a potential infection vector. Inspect pipeline logs for unexpected network calls and rotate any secrets exposed to build environments.
- Pin versions with integrity hashes. If you are not already using
npm ciwith a committed lockfile and subresource integrity for Go modules (GONOSUMCHECKshould be empty), now is the time. For npm, consider enablingnpm auditin CI as a blocking step.
- Rotate credentials on affected machines. If any developer machine or CI runner pulled packages from these ecosystems in the past 30 days, treat credentials as potentially compromised and rotate before investigating.
North Korea's development-targeting operations have historically been patient and persistent. PolinRider is not a proof-of-concept — it is an active, multi-registry deployment. Treat it accordingly.
Synthesized by Claude · sanity-checked before publish.