North Korean hackers flood open-source repositories with 108 booby-trapped packages
The Contagious Interview crew is back, seeding npm, Packagist, Go and Chrome with malware aimed at developers.

Key points
- Researchers have linked 108 malicious software packages and browser add-ons to North Korean hackers in a campaign called PolinRider, disclosed this week.
- The bad packages were published across four developer ecosystems: npm, Packagist, Go, and the Google Chrome Web Store.
- The activity is tied to Contagious Interview, a long-running North Korean operation that targets software developers with fake job offers.
- The campaign is still live, with new malicious packages expected as attackers take over legitimate maintainer accounts.
- Everyday users are not the direct target, but the goal is to reach the companies whose developers install the poisoned code.
North Korean hackers have quietly seeded open-source software repositories with 108 malicious packages and browser extensions, part of a campaign researchers are calling PolinRider.
The packages appeared across four places where programmers download building blocks for their apps: npm (used by JavaScript developers), Packagist (used by PHP developers), Go (Google's programming language), and the Chrome Web Store, where browser add-ons live.
Think of these repositories as app stores for developers. A programmer building a new website or tool grabs ready-made pieces from them to save time. If one of those pieces is booby-trapped, the malware rides along into whatever the developer is building — and often onto their work laptop.
Who are these hackers actually after?
Developers. Specifically, developers at crypto firms, banks and tech companies. The campaign is an offshoot of Contagious Interview, a North Korean operation first reported by The Hacker News and others, in which fake recruiters approach engineers on LinkedIn with a tempting job offer and then ask them to run a "coding test" that quietly installs malware.
PolinRider is the supply-chain version of the same idea. Instead of tricking one engineer at a time, the hackers poison the wells that thousands of engineers drink from.
How the packages get onto trusted repositories
Two routes, mostly.
The first is straightforward: attackers create a package with a name that looks close to a popular one, hoping a rushed developer types it by mistake. This is known in the industry as typosquatting.
The second is nastier. The hackers break into the accounts of legitimate package maintainers — the real authors whom other developers already trust — and push a poisoned update from that trusted account. Researchers tracking PolinRider say this account-takeover pattern is why the campaign keeps producing new packages weeks after it was first spotted.
Once installed, the malicious code typically pulls down a second-stage payload: an information stealer that hunts for crypto wallets, browser-saved passwords, and session cookies. Session cookies matter because they let an attacker walk into a logged-in account without needing the password or the multi-factor code. On the identity side, this is the part that stings. Multi-factor authentication would not have stopped it, because the cookie represents an already-authenticated session.
What should developers and their employers do?
If you write software for a living, or you manage people who do, treat every dependency as untrusted until proven otherwise.
Pin exact versions rather than pulling "latest". Review new maintainers before accepting an update. Run installs inside a sandbox or a disposable container, not on the same laptop that holds your production credentials. And rotate any session tokens and API keys on machines that touched a suspect package — a stolen cookie is only useful until it is revoked.
For everyone else: you cannot directly avoid this one. It is a reminder that many breaches of consumer services start not with the service itself, but with a developer's laptop three companies upstream.
Expect more PolinRider packages before the year is out. North Korea's developer-hunting crews have been at this since 2023, and the economics — a stolen crypto wallet can fund a lot of missiles — keep them motivated.



