North Korean hackers have launched another large-scale software supply chain attack, publishing more than 100 malicious packages across popular developer platforms in an effort to infect software developers and cryptocurrency professionals.

According to a report by The Hacker News, security researchers at Socket uncovered an ongoing campaign known as PolinRider, which is linked to the infamous Contagious Interview operation. The campaign has already distributed 108 malicious packages and browser extensions, spanning npm, Composer (Packagist), Go modules, and even the Google Chrome Web Store.

Researchers found a total of 162 malicious package releases, including 19 npm libraries, 10 Composer packages, 61 Go modules, and one Chrome extension. The attackers are believed to be continuously adding new packages after compromising maintainer accounts, modifying legitimate repositories, and publishing infected versions whenever they gain access.

The Contagious Interview campaign has been active since at least 2023 and is known for targeting developers by posing as recruiters or hiring managers on platforms such as LinkedIn, GitHub, and freelance marketplaces. Victims are invited to fake job interviews or coding assessments that ultimately lead them to download and execute malicious code.

Earlier investigations revealed that the attackers had already compromised nearly 2,000 public GitHub repositories belonging to more than 1,000 developers. The campaign later expanded with another activity known as TaskJacker, which secretly inserts malicious Visual Studio Code task files into existing repositories.

One of the most dangerous techniques used in this campaign is the abuse of Visual Studio Code’s automatic task execution. By configuring tasks to run whenever a project folder is opened, attackers can execute malicious JavaScript without requiring the developer to manually launch any suspicious files.

READ
Google Helps Dismantle NetNut Botnet That Hijacked Millions of Android Devices

Researchers believe the hackers are not primarily stealing GitHub passwords. Instead, victims are initially infected through malicious npm packages or rogue VS Code extensions. After gaining access, the attackers can take control of maintainer accounts and distribute compromised software updates to unsuspecting users.

Once installed, the malware searches for common JavaScript project configuration files such as postcss.config.mjs, tailwind.config.js, eslint.config.mjs, next.config.mjs, babel.config.js, and app.js. If these files exist, the malware silently injects additional malicious JavaScript, allowing the infection to spread further.

The attackers also manipulate Git commit history by rewriting commits and changing timestamps, making malicious changes appear older and less suspicious. This tactic makes it much harder for developers to detect unauthorized modifications by simply reviewing repository history.

The latest version of the malware contacts blockchain services, including TRON, Aptos, and BNB Smart Chain, to download encrypted second-stage payloads that eventually deploy DEV#POPPER RAT and OmniStealer, giving attackers remote access to infected systems while stealing sensitive data.

Security researchers warn that developers should not rely solely on Git commit history to determine whether a project is safe. Instead, they recommend reviewing repository activity logs, package release metadata, Visual Studio Code task configurations, and unexpected changes to configuration files.

Developers who have installed any of the affected packages are advised to immediately treat their systems as compromised. Recommended steps include rotating all credentials from a clean device, removing malicious package versions, rebuilding projects from trusted lockfiles, and auditing repositories for unauthorized changes to files such as .vscode/tasks.json, vite.config.js, config.js, and eslint.config.js.


Buy ExpressVPN with PayPal or Credit Card
READ
Hackers Launch 81 Million Microsoft 365 Login Attempts in Massive Password Spraying Campaign

Source: The Hacker News

Advertisement