North Korea-aligned threat actors, tracked as Contagious Interview (or Famous Chollima), are significantly expanding a sophisticated software supply chain campaign known as PolinRider. According to security firm Socket, the group has published 108 unique malicious packages and browser extensions across the npm, Packagist (PHP), and Go open-source ecosystems. The campaign's objective is to compromise developer accounts and infiltrate enterprise CI/CD pipelines to steal credentials and propagate further attacks. This escalation highlights the persistent and evolving threat that state-sponsored actors pose to the integrity of the open-source software supply chain.
The PolinRider campaign is a multi-stage supply chain attack targeting software developers.
This campaign is a classic example of exploiting trust in the open-source ecosystem.
T1195.001 - Compromise Software Supply Chain by poisoning legitimate packages. The social engineering aspect also involves T1566 - Phishing.T1552.005 - Cloud Credentials and T1552.006 - Group-Policy-Preferences.T1059 - Command and Scripting Interpreter).T1195.002 - Compromise Software Development Environment. This allows them to inject their malware into the victim organization's own software, turning them into a distribution point for a wider attack.The PolinRider campaign poses a severe threat to organizations that rely on open-source software.
No specific package names, domains, or other IOCs were provided in the source articles.
Detecting this activity requires vigilance over the software development lifecycle. The following patterns could indicate related activity:
CI/CD build logspackage.json, composer.json, go.modEnforcing MFA on developer accounts for package registries and version control systems is critical to prevent account takeover.
Strict egress filtering on CI/CD runners can block the exfiltration of stolen credentials.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.