North Korean hackers are running the PolinRider supply chain campaign to target open source developers with the DEV#POPPER RAT and OmniStealer through compromised repositories and packages. The operation spans NPM, Packagist, Go modules, and Chrome extensions, with attackers using Git history rewriting and hidden loaders to steal credentials and persist in developer environments. #PolinRider #DEVPOPPER #OmniStealer #ContagiousDevelopment #Xpos587
Keypoints
- PolinRider targets open source software developers through a broad supply chain campaign.
- Compromised GitHub repositories deliver the DEV#POPPER RAT and OmniStealer payloads.
- The campaign affects NPM, Packagist, Go modules, and Chrome extensions.
- Attackers rewrite Git history to hide malicious changes and make them appear older.
- Socket found 162 malicious artifacts across 108 packages, including the Xpos587 and sevenspan compromises.