North Korean hackers flood open-source repositories with 108 booby-trapped packages

The Contagious Interview crew is back, seeding npm, Packagist, Go and Chrome with malware aimed at developers.

ThreatVectr Newsdesk· 3 min read
Full-frame overhead view of a cluttered developer's desk at night, glowing keyboard, open laptop showing abstract package manager output as coloured bars, small
Share

Key points

  • Researchers have linked 108 malicious software packages and browser add-ons to North Korean hackers in a campaign called PolinRider, disclosed this week.
  • The bad packages were published across four developer ecosystems: npm, Packagist, Go, and the Google Chrome Web Store.
  • The activity is tied to Contagious Interview, a long-running North Korean operation that targets software developers with fake job offers.
  • The campaign is still live, with new malicious packages expected as attackers take over legitimate maintainer accounts.
  • Everyday users are not the direct target, but the goal is to reach the companies whose developers install the poisoned code.

North Korean hackers have quietly seeded open-source software repositories with 108 malicious packages and browser extensions, part of a campaign researchers are calling PolinRider.

The packages appeared across four places where programmers download building blocks for their apps: npm (used by JavaScript developers), Packagist (used by PHP developers), Go (Google's programming language), and the Chrome Web Store, where browser add-ons live.

Think of these repositories as app stores for developers. A programmer building a new website or tool grabs ready-made pieces from them to save time. If one of those pieces is booby-trapped, the malware rides along into whatever the developer is building — and often onto their work laptop.

Who are these hackers actually after?

Developers. Specifically, developers at crypto firms, banks and tech companies. The campaign is an offshoot of Contagious Interview, a North Korean operation first reported by The Hacker News and others, in which fake recruiters approach engineers on LinkedIn with a tempting job offer and then ask them to run a "coding test" that quietly installs malware.

PolinRider is the supply-chain version of the same idea. Instead of tricking one engineer at a time, the hackers poison the wells that thousands of engineers drink from.

How the packages get onto trusted repositories

Two routes, mostly.

The first is straightforward: attackers create a package with a name that looks close to a popular one, hoping a rushed developer types it by mistake. This is known in the industry as typosquatting.

The second is nastier. The hackers break into the accounts of legitimate package maintainers — the real authors whom other developers already trust — and push a poisoned update from that trusted account. Researchers tracking PolinRider say this account-takeover pattern is why the campaign keeps producing new packages weeks after it was first spotted.

Once installed, the malicious code typically pulls down a second-stage payload: an information stealer that hunts for crypto wallets, browser-saved passwords, and session cookies. Session cookies matter because they let an attacker walk into a logged-in account without needing the password or the multi-factor code. On the identity side, this is the part that stings. Multi-factor authentication would not have stopped it, because the cookie represents an already-authenticated session.

What should developers and their employers do?

If you write software for a living, or you manage people who do, treat every dependency as untrusted until proven otherwise.

Pin exact versions rather than pulling "latest". Review new maintainers before accepting an update. Run installs inside a sandbox or a disposable container, not on the same laptop that holds your production credentials. And rotate any session tokens and API keys on machines that touched a suspect package — a stolen cookie is only useful until it is revoked.

For everyone else: you cannot directly avoid this one. It is a reminder that many breaches of consumer services start not with the service itself, but with a developer's laptop three companies upstream.

Expect more PolinRider packages before the year is out. North Korea's developer-hunting crews have been at this since 2023, and the economics — a stolen crypto wallet can fund a lot of missiles — keep them motivated.

© 2026 Threat Vectr