Since December 2025, a North Korean state-sponsored supply chain campaign called PolinRider has been systematically compromising legitimate open source maintainer accounts and injecting malware loaders into packages across NPM, Packagist, Go modules, and Chrome extensions. As of July 2026, Socket's Threat Research Team has identified 162 malicious release artifacts across 108 unique packages. The broader underlying GitHub operation, first flagged in March 2026, had compromised 1,951 public repositories belonging to 1,047 unique owners as of April 11. The campaign is ongoing and new malicious packages continue to surface.
For healthcare DevSecOps teams and security practitioners, the specific threat profile PolinRider presents warrants careful attention: this campaign targets developer environments specifically, with payloads designed to exfiltrate the exact credential types — CI/CD secrets, cloud API keys, package registry credentials, SSH keys, and source code — that connect developer workstations to production systems and patient data infrastructure.
What PolinRider Is
PolinRider is attributed to two North Korean state-sponsored threat groups: Famous Chollima — a subset of the high-profile Lazarus Group linked to the Contagious Interview campaign — and APT37, also known as Reaper or ScarCruft. Contagious Interview has been running for over three years, originally using fake job advertisements on LinkedIn and GitHub to trick developers into installing malware. PolinRider represents an evolution: rather than requiring developers to interact with a fake recruiter, the campaign embeds malware directly into the open source packages they install as part of normal work.The campaign's name derives from the attack infrastructure's use of public blockchain networks — TRON, Aptos, and BNB Smart Chain — as command and control channels. Using decentralized blockchain infrastructure for C2 is deliberate: it provides a resilient, censorship-resistant delivery mechanism that is significantly harder to block or take down than traditional C2 infrastructure. When a malicious loader executes, it connects to a public blockchain RPC endpoint, retrieves an encrypted second-stage payload, decrypts it in-memory using embedded XOR keys, and executes the result via JavaScript's eval() function — leaving minimal filesystem artifacts.
The Attack Chain in Detail
Understanding how PolinRider actually reaches a developer's environment requires tracing the full attack chain, because the sophistication of each step has direct implications for detection and response.Step 1: Maintainer Account Compromise
The campaign's entry point is compromised legitimate maintainer accounts on GitHub and package registries — not fake or typosquat packages. Attackers compromise legitimate developer accounts and repositories by placing malware loaders into popular packages that establish command-and-control systems and then deploy payloads designed to steal credentials and exfiltrate source code, as well as move laterally throughout a developer's environment. This distinction matters enormously: standard "check the publisher" verification advice provides no protection when the legitimate publisher's account has been taken over. Socket did not identify the credential theft method used to compromise maintainer accounts in all cases; in some instances the threat actor is not using stolen GitHub credentials, suggesting OAuth token abuse or other session hijacking mechanisms may be involved.Step 2: History Rewriting
After gaining access to a maintainer account, the attackers rewrite Git history using force pushes and inject anti-dated commits — making malicious changes appear to have been introduced during older maintenance updates. The visible commit history often appears benign, featuring routine messages from trusted maintainers. Identifying these stealth alterations requires security teams to conduct dedicated reviews of repository activity logs to spot retroactive history modifications and force pushes. Anti-dated commits directly defeat the "check when this code was introduced" heuristic that developers use to evaluate suspicious changes. A commit timestamped to January looks like routine maintenance even if it was force-pushed in June.Step 3: Payload Concealment
Socket identified two primary concealment methods. Earlier activity hid obfuscated JavaScript inside configuration files — `config.js` files, `vite.config.js` — appended alongside legitimate configuration code. The Packagist compromise used a different approach: fake `.woff2` font files containing the loader. The 7span namespace compromise illustrates a critical remediation gap: when maintainers detected and removed the fake font files, the obfuscated JavaScript hidden in configuration files remained in place. A cleanup that targets only one payload-hiding method can leave the campaign's other vectors active.Step 4: TaskJacker Merge
By April 2026, PolinRider had merged with a second cluster called TaskJacker, which drops malicious VS Code task files directly into victims' existing repositories — including the `"runOn: 'folderOpen'"` option that triggers code execution automatically when a folder is opened as a workspace in VS Code or Cursor. This is a particularly significant development for the healthcare DevSecOps context: a developer who opens a compromised repository in their IDE triggers malware execution without installing any package. The execution trigger is the IDE itself.Step 5: Payload Delivery and Persistence
The primary payloads are DEV#POPPER and OmniStealer. DEV#POPPER is a remote access trojan that provides persistent, full administrative control over the infected workstation — arbitrary command execution, file system access, and lateral movement capabilities. OmniStealer is an information stealer specifically engineered for developer environments, targeting cryptocurrency wallet private keys, browser session cookies, Git credentials, cloud API tokens, SSH keys, package registry credentials, and CI/CD secrets. Both operate silently after the initial execution. The loader-based design means the campaign can swap second-stage payloads as defenders adapt to current signatures, and Socket's analysis treats the loader as capable of delivering additional malware beyond the currently observed variants.The Scale Is Larger Than the Package Count Suggests
The 108 malicious package figure covers the supply chain distribution layer — packages published to registries. The GitHub compromise operation underlying PolinRider is significantly larger. As of April 11, 2026, the campaign had compromised 1,951 public repositories belonging to 1,047 unique owners. Rescana's analysis documents that malicious packages published in the campaign have been integrated into legitimate downstream projects, meaning the infection radius extends beyond developers who directly installed affected packages to organizations whose dependencies included those packages transitively.This transitive infection path is the supply chain problem that makes PolinRider harder to scope than a direct package compromise: your lockfile may not reference a PolinRider package directly, but a package you do reference may reference one.
Remediation Is More Than Package Removal
Socket's remediation guidance deserves to be reproduced precisely because the instinct to simply remove the offending package is insufficient and potentially dangerous: Teams that installed any affected package or extension version should treat the installation environment as potentially compromised until reviewed. Because PolinRider targets developer environments and may expose package registry, source code, cloud, and CI/CD credentials, remediation should be performed from a clean machine, not from the potentially infected host.The reasoning is straightforward: DEV#POPPER executes during package installation and establishes persistence immediately. If you are running your remediation workflow — rotating secrets, auditing repositories, reviewing logs — from an infected workstation, the RAT is watching. Credentials you rotate from the infected machine may be captured before the rotation completes. The clean machine requirement is not a suggestion.
The complete remediation sequence: preserve forensic artifacts first, then rebuild from known-good lockfiles on a clean machine, rotate all exposed secrets (CI/CD tokens, cloud API keys, SSH keys, package registry credentials, Git credentials) from the clean machine, exhaustively audit repositories for hidden execution paths and VS Code task files, and review dependency trees for transitive exposure.
What This Means for Healthcare
Developer Environments Are the Path to Clinical Systems
Healthcare organizations' developer environments — the workstations, repositories, and CI/CD pipelines where clinical applications, EHR integrations, and patient portal code are built and deployed — sit upstream of production systems that handle PHI. OmniStealer's specific credential targets map directly to the access paths between a developer workstation and those production systems: SSH keys for server access, cloud API tokens for infrastructure access, CI/CD secrets for deployment pipeline access, and package registry credentials for dependency chain integrity. A PolinRider compromise of a healthcare developer's workstation is not primarily a developer productivity incident. It is a potential breach notification trigger depending on what those credentials can reach.The VS Code / Cursor TaskJacker Vector Is Active in Healthcare Dev Environments
The TaskJacker merge introduced a specific threat to IDE-based workflows that warrants immediate attention for healthcare development teams. VS Code and Cursor are standard tools in healthcare software development. The `"runOn: 'folderOpen'"` VS Code task execution mechanism means that opening a repository in an IDE — an action developers perform dozens of times per day — can trigger malware execution if the repository contains a malicious task file. Healthcare development teams should audit their VS Code workspace configurations and `.vscode/tasks.json` files for unexpected `runOn: 'folderOpen'` tasks, and consider whether their IDE security policies address auto-execution configurations. This is an IDE configuration governance item, not just a package management item.Transitive Dependencies in Healthcare Applications Need Audit
Healthcare applications frequently use open source packages — NPM for web-based patient portals and clinical interfaces, Go modules for backend services and API gateways, PHP packages via Packagist for legacy clinical web applications. The transitive infection path documented by Rescana means that a healthcare organization's application may be downstream of a PolinRider-affected package without any direct reference in its own dependency manifest. Running a dependency audit against the Socket PolinRider IOC tracker — linked in the key links below — against your application dependency trees is the appropriate immediate action, not waiting for a direct package match in your lockfile.CI/CD Credential Exposure Is a HIPAA Incident Trigger
CI/CD secrets exposed through a PolinRider compromise include tokens with deployment access to production environments. For healthcare organizations where production environments contain or connect to systems handling ePHI, unauthorized access to deployment credentials constitutes unauthorized access to infrastructure that may trigger breach notification analysis under HIPAA. The relevant question is not whether the attacker accessed patient records directly — it is whether the compromised credentials could have provided access to systems that process, store, or transmit ePHI, and whether that access occurred. Treating a CI/CD credential exposure as a potential HIPAA breach notification event from the outset, and involving your privacy officer and legal counsel in the remediation scoping, is the appropriate posture for a healthcare organization.The Blockchain C2 Channel Evades Standard Network Controls
PolinRider's use of public blockchain RPC infrastructure for C2 — TRON, Aptos, and BNB Smart Chain — means the campaign's network traffic blends with legitimate blockchain activity. Network-layer controls that block known-bad C2 domains or IP ranges are not effective against public blockchain RPC endpoints, which serve legitimate traffic. Healthcare organizations relying on domain reputation filtering as a primary defense against C2 exfiltration should evaluate whether their network monitoring posture can detect anomalous blockchain API calls from developer workstations — a traffic pattern that has no legitimate business justification in most clinical and administrative computing environments.The Claude Code Desktop Connection
We covered Claude Code Desktop's permission model and security evaluation in AI Security Series #54. A healthcare developer running Claude Code Desktop with filesystem access and terminal permissions in an environment compromised by DEV#POPPER is running two agents with deep workstation access simultaneously — one legitimate and one adversarial. DEV#POPPER's arbitrary command execution capability and file system access run in the same environment as Claude Code's file editing and terminal sessions. Forensic analysis of a compromised developer environment that was also running Claude Code Desktop should account for the possibility that the RAT's activity may be interleaved in logs and filesystem events alongside legitimate AI-assisted development activity, complicating timeline reconstruction. This is an incident response consideration, not a reason to avoid Claude Code — it is a reason to maintain clean separation between development environments and production-adjacent systems.Detection Indicators
For healthcare security teams monitoring developer environments, the following detection priorities emerge from the PolinRider campaign's documented behavior:- Git force pushes on repositories not owned by your organization: Force pushes to public repositories your developers depend on, especially combined with commit timestamps inconsistent with repository activity patterns, are a PolinRider TTP. Monitor for force-push events on repositories in your dependency tree where your organization is not the maintainer.
- Outbound connections to blockchain RPC endpoints from developer workstations: Traffic to TRON, Aptos, and BNB Smart Chain RPC endpoints from workstations in your development environment has no legitimate business justification. Alert on it.
- JavaScript eval() execution of fetched payloads in Node.js processes: The loader's in-memory decryption and eval() execution pattern generates specific Node.js process behaviors detectable via EDR telemetry. Validate that your EDR coverage includes developer workstations and that Node.js process monitoring is active.
- VS Code task files with runOn: 'folderOpen' in unexpected repositories: Audit `.vscode/tasks.json` files across your organization's repositories for auto-execution configurations not introduced by your development team.
- Anti-dated commits in dependency repositories: Commits with timestamps significantly earlier than their push dates in packages your applications depend on are a Git history rewriting indicator. Include this check in your dependency audit workflow.
The Bigger Picture
PolinRider is the most significant open source supply chain campaign documented in 2026, and its expansion from NPM into Packagist, Go modules, and Chrome extensions over a seven-month period demonstrates that the campaign operators are systematically working through the full open source ecosystem rather than focusing on a single language or registry. The TaskJacker merge in April extended the attack surface from package installation to IDE workspace opening — a development that changes the threat model for any organization whose developers work with open source repositories.The campaign's technical sophistication — blockchain C2, Git history rewriting, anti-dated commits, multi-stage encrypted payloads, loader-based architecture enabling payload swapping — reflects state-level resources and patience. These are not opportunistic attacks. They are systematic operations designed to persist in developer environments and exfiltrate high-value credentials at scale.
For healthcare security programs, the immediate priorities are clear: audit your application dependency trees against the PolinRider IOC tracker, review VS Code workspace configurations for TaskJacker indicators, confirm EDR coverage on developer workstations with Node.js process monitoring active, brief your development teams on the clean-machine remediation requirement, and establish that CI/CD credential exposure from a compromised developer workstation is a HIPAA breach notification analysis trigger. The campaign is ongoing. New malicious packages continue to surface. The audit is not a one-time action.
This is entry #55 in the AI Security Series. For related coverage, see AI Security Series #54: Claude Code Desktop — A Security Evaluation for Healthcare DevSecOps Programs and AI Security Series #49: Claude Code's Hidden Fingerprint.
Key Links
- Socket Threat Research: PolinRider — North Korea-Linked Supply Chain Campaign (Primary Research)
- Socket: Live PolinRider IOC Tracker (Affected Packages)
- SecurityWeek: North Korean Hackers Target Open Source Developers in Supply Chain Attacks
- The Hacker News: North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
- Rescana: Active Exploitation Alert — PolinRider Supply Chain Attack (Full Technical Analysis)
- DevOps.com: North Korea Expands the Reach of PolinRider Supply Chain Attack Campaign
- OpenSourceMalware/PolinRider: Full CSV of Affected Repositories
- MITRE ATT&CK: Lazarus Group (Famous Chollima) Reference