North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
The Contagious Interview / PolinRider campaign is still active, with 108 unique packages and browser extensions published across npm, Packagist, Go, and Google Chrome. The operation has also compromised maintainer accounts and repositories, increasing the chance that trusted software updates deliver malware. By April 11, 2026, the activity had reached 1,951 public GitHub repositories tied to 1,047 unique owners and was used to stage DEV#POPPER RAT and OmniStealer.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakAbout this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
GitHub API enumeration campaign targeting corporate organizations
Campaign
H score17
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub API enumeration campaign targeting corporate organizations
CampaignAbout this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
Campaign
H score9
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
CampaignAbout this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaAbout this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Timeline
-
04.07.2026 14:17 1 articles · 5d ago
PolinRider compromises 1,951 public GitHub repositories
Campaign Scope UpdateOn April 11, 2026, PolinRider activity had compromised 1,951 public GitHub repositories associated with 1,047 unique owners and had merged with TaskJacker, a related cluster that drops malicious VS Code task files into existing repositories. The broader tradecraft uses compromised maintainer access, obfuscated JavaScript loaders, and Git history rewriting to hide malicious changes and trigger code execution through developer tooling.
Show sources
- North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign — thehackernews.com — 04.07.2026 14:17
-
04.07.2026 14:17 2 articles · 5d ago
PolinRider publishes 108 malicious packages and browser extensions
Technical Analysis UpdateContagious Interview-linked North Korean operators publish 108 unique packages and browser extensions across npm, Packagist, Go, and Google Chrome as part of the PolinRider campaign, with 162 malicious release artifacts spanning 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. The activity remains active and is likely to keep producing new malicious packages as maintainers, legitimate repositories, and registry access are abused to deliver infected package versions.
Show sources
- North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign — thehackernews.com — 04.07.2026 14:17
- North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign — thehackernews.com — 04.07.2026 14:17