Gbhackers
GitHub Maintainer Accounts Compromised in PolinRider Campaign
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Threat actors have compromised GitHub maintainer accounts to distribute infected package versions in a widespread PolinRider supply-chain campaign. The investigation uncovered 162 malicious release artifacts across 108 unique packages, affecting npm, Packagist, Go modules, and a Chrome extension. This activity is linked to a North Korean threat cluster known for targeting developers. Attackers gain access through account compromises or recovery abuse, modifying repositories to introduce obfuscated JavaScript loaders. These loaders execute via developer tools, notably in VS Code, when projects are opened. The campaign has expanded beyond npm, with 80 compromised Go modules and 10 Packagist packages identified. A critical evasive technique involves rewriting Git history to obscure malicious changes. Known follow-on payloads include DEV#POPPER and OmniStealer, which provide remote access and credential theft capabilities.
Key Points: • 162 malicious artifacts identified across multiple ecosystems including npm and Go modules. • Attackers exploit GitHub maintainer accounts to introduce obfuscated JavaScript loaders. • PolinRider campaign linked to North Korean threat actors targeting developers.