Find notable cyber news and cases, enriched with sources, timelines, and signals.

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 51
1 unique sources, 1 articles

Summary

Hide ▲

The Contagious Interview / PolinRider campaign is still active, with 108 unique packages and browser extensions published across npm, Packagist, Go, and Google Chrome. The operation has also compromised maintainer accounts and repositories, increasing the chance that trusted software updates deliver malware. By April 11, 2026, the activity had reached 1,951 public GitHub repositories tied to 1,047 unique owners and was used to stage DEV#POPPER RAT and OmniStealer.

Related Happenings

Single organization's private GitHub repository cloned after confirmed access

Data Leak
H score12 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...

GitHub API enumeration campaign targeting corporate organizations

Campaign
H score17 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...

PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret

Campaign
H score9 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...

North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale

Threat Actor Meta
H score31 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

Timeline

  1. 04.07.2026 14:17 1 articles · 5d ago

    PolinRider compromises 1,951 public GitHub repositories

    Campaign Scope Update

    On April 11, 2026, PolinRider activity had compromised 1,951 public GitHub repositories associated with 1,047 unique owners and had merged with TaskJacker, a related cluster that drops malicious VS Code task files into existing repositories. The broader tradecraft uses compromised maintainer access, obfuscated JavaScript loaders, and Git history rewriting to hide malicious changes and trigger code execution through developer tooling.

    Show sources
  2. 04.07.2026 14:17 2 articles · 5d ago

    PolinRider publishes 108 malicious packages and browser extensions

    Technical Analysis Update

    Contagious Interview-linked North Korean operators publish 108 unique packages and browser extensions across npm, Packagist, Go, and Google Chrome as part of the PolinRider campaign, with 162 malicious release artifacts spanning 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. The activity remains active and is likely to keep producing new malicious packages as maintainers, legitimate repositories, and registry access are abused to deliver infected package versions.

    Show sources