GitHub Maintainer Accounts Compromised in PolinRider Campaign

GitHub Maintainer Accounts Compromised in PolinRider Campaign

First seen 3 Jul 2026, 13:32 UTC Gbhackers 84% similarity 73.0
Share:

Article Content

Browse articles
ThreatCluster

Threat actors have compromised GitHub maintainer accounts to distribute infected package versions in a widespread PolinRider supply-chain campaign. The investigation uncovered 162 malicious release artifacts across 108 unique packages, affecting npm, Packagist, Go modules, and a Chrome extension. This activity is linked to a North Korean threat cluster known for targeting developers. Attackers gain access through account compromises or recovery abuse, modifying repositories to introduce obfuscated JavaScript loaders. These loaders execute via developer tools, notably in VS Code, when projects are opened. The campaign has expanded beyond npm, with 80 compromised Go modules and 10 Packagist packages identified. A critical evasive technique involves rewriting Git history to obscure malicious changes. Known follow-on payloads include DEV#POPPER and OmniStealer, which provide remote access and credential theft capabilities.

Key Points: • 162 malicious artifacts identified across multiple ecosystems including npm and Go modules. • Attackers exploit GitHub maintainer accounts to introduce obfuscated JavaScript loaders. • PolinRider campaign linked to North Korean threat actors targeting developers.

ThreatCluster AI

Timeline

2026-06-09
CVE-2026-45504 published
A critical vulnerability was disclosed, with a proof of concept released on June 24.
Gbhackers
2026-06-23
Xpos587 account compromised
Multiple unrelated repositories were modified in a tight time window, indicating account takeover.
Gbhackers
Recent
Malicious packages observed
80 Go modules and 10 Packagist packages were compromised, expanding the campaign's reach.
Gbhackers

Community

Browse all →