North Korea-linked hackers infect open-source packages
Hackers linked to North Korea used compromised maintainer accounts to add obfuscated JavaScript loaders to GitHub, NPM, Packagist, Go modules and Chrome extensions, deploying DEV#POPPER and OmniStealer.
Security firm Socket reported a supply-chain campaign named PolinRider that has injected malicious release artifacts into open-source packages and browser extensions.
Socket says the operation has been active since December 2025 and targets projects across GitHub, NPM, Packagist, Go module registries and Chrome extension stores.
Attackers obtain access by compromising maintainer accounts, then modify legitimate repositories to publish infected package releases. Socket identified 162 malicious release artifacts across 108 distinct packages so far and expects more to surface.
Compromised repositories were altered to include obfuscated JavaScript loaders. Those loaders connect to blockchain-based endpoints and public RPC infrastructure to retrieve encrypted payloads. The payloads deploy DEV#POPPER, a remote access trojan that enables persistent control, and OmniStealer, a program that harvests credentials and files.
Observers documented cases in which attackers rewrote Git histories to make malicious commits appear older. In some incidents the loaders were hidden inside configuration files and were not removed during cleanup.
Socket linked a June 23 compromise of the Xpos587 GitHub account, which contained several modified repositories, and recent changes to multiple Packagist packages under the sevenspan namespace.
Socket advised: “Teams that installed any affected package or extension version should treat the installation environment as potentially compromised until reviewed. Because PolinRider targets developer environments and may expose package registry, source code, cloud, and CI/CD credentials, remediation should be performed from a clean machine, not from the potentially infected host.”
The campaign targets developer environments where package registries, source code, cloud credentials and CI/CD systems are accessible. Socket recommends reviewing recent package releases, verifying maintainer account integrity, inspecting Git histories for unexplained rewrites, rotating secrets stored on developer machines or CI systems, restoring from known-good backups and rebuilding build environments on clean systems.
Security teams are advised to monitor for signs of DEV#POPPER activity and for credential exfiltration associated with OmniStealer as part of incident response.




