North Korean Hackers Poisoned Over 100 Open Source Packages to Spy on Developers
A campaign called PolinRider has quietly corrupted legitimate software building blocks used by developers worldwide, planting tools that steal data and leave a hidden door open for attackers.

Key points
- North Korean hackers, through a campaign named PolinRider, corrupted more than 100 legitimate open source packages and code repositories.
- The malicious packages delivered a backdoor, meaning hidden software that lets attackers return to a device whenever they choose, and an information stealer that harvests saved data.
- Developers, not end users, are the direct targets, making this a supply-chain attack where the poisoned ingredient gets baked into other products.
- SecurityWeek first reported the campaign details.
If you have ever installed an app on your phone, that app was probably built using dozens of smaller, ready-made software components called open source packages. Developers grab these freely available building blocks to save time. PolinRider went after those building blocks.
By quietly corrupting over 100 of them, the hackers positioned themselves to reach not just one victim but every developer who downloaded and used the tainted code. Think of it like poisoning the flour supply rather than a single loaf of bread.
How did the hackers actually get in?
The attackers replaced or tampered with legitimate packages hosted in widely trusted code repositories, which are online libraries where developers share and download software. Once a developer pulled in a poisoned package, two things happened. First, a backdoor installed itself quietly, giving the attackers ongoing, hidden access to that developer's machine. Second, an information stealer went to work, scooping up credentials, session tokens (short-lived digital keys that prove you are logged in), and other sensitive data.
From there, the stolen credentials could be used to break into the developer's employer, their clients, or any service the developer had saved a password for.
MFA, meaning multi-factor authentication where a second proof of identity (like a code sent to your phone) is required alongside a password, would not have stopped the initial infection here. The malware arrives through code the developer genuinely meant to install, not through a stolen password. That is what makes supply-chain attacks so difficult to catch.
For ordinary people, the risk is indirect but real. Software your bank, hospital, or favourite retailer uses may have been built by developers who unknowingly downloaded one of these packages. Compromised developer machines are a well-worn path to much larger breaches.
If you are a developer or work at a company that builds software, the immediate steps are straightforward. Audit the open source packages your team uses. Check whether any were flagged in the PolinRider campaign. Treat unexpected outbound network traffic from a development machine as a serious warning sign.
For everyone else: keep an eye on breach-notification emails from services you use, and change passwords for any account where you reused credentials. A password manager helps enormously here.



