North Korean state-linked hackers behind the so‑called Contagious Interview activity have been observed massively abusing open ecosystems for developers and browser users. As part of an ongoing campaign dubbed PolinRider, the group has published 108 distinct malicious software packages and web browser extensions across npm, Packagist, Go modules and the Google Chrome ecosystem.
Researchers warn that the operation is still live and that new rogue packages are likely to surface as attackers take over maintainer accounts and abuse the trust placed in popular open-source registries and extension stores.
Malicious packages across multiple ecosystems
In the PolinRider campaign, the threat actors have seeded malware into several major developer platforms rather than focusing on a single registry. The malicious uploads span:
- npm – the dominant JavaScript package manager used in Node.js and front-end workflows
- Packagist – the primary PHP package repository
- Go modules – the packaging mechanism used by the Go programming language
- Google Chrome extensions – browser add-ons distributed via Google’s ecosystem
This broad targeting increases the chances of the malware being pulled into real projects and user environments, especially when it is disguised as legitimate functionality or linked to familiar maintainer names.
Account compromise at the core of the operation
According to analysis, the operators behind PolinRider do not rely solely on creating new, obviously suspicious projects. Instead, they also attempt to compromise existing maintainer accounts in these ecosystems. By doing so, they can publish or update packages under trusted identities, making malicious changes harder to spot and more likely to be installed by unsuspecting developers.
Once a popular account is under attacker control, malicious versions of otherwise benign libraries can be introduced, or additional packages can appear under a recognizable author name. This tactic is especially dangerous in environments where dependencies are updated automatically.
Continuing activity and risk for developers
The PolinRider campaign is described as active and evolving rather than a one-off incident. Security teams tracking the activity expect more malicious entries to surface over time as the attackers continue to:
- Target maintainers with phishing, credential theft or other account-takeover techniques
- Publish new packages that mimic legitimate tools or libraries
- Leverage browser extensions to reach end users directly
For developers and organizations that depend heavily on npm, Packagist or Go, this raises the risk of supply-chain compromise via standard update mechanisms. Browser users installing extensions from seemingly reputable publishers may also be exposed.
What developers and admins should do
Security teams and developers are advised to treat public package registries and extension stores as untrusted sources and apply stricter controls around what is allowed into production environments. Recommended defensive steps include:
- Locking and monitoring maintainer accounts with strong, unique passwords and multi-factor authentication
- Pinning dependency versions and avoiding blind automatic updates from public registries
- Auditing dependencies for unusual changes in ownership, version history or behavior
- Restricting browser extensions in corporate environments to a vetted allowlist
- Using software composition analysis (SCA) and similar tools to track and review third-party components
The PolinRider campaign underlines how open-source and browser extension ecosystems continue to be prime targets for state-backed actors. Organizations that rely on these platforms for development and day‑to‑day work should assume that malicious packages and extensions will keep appearing and adapt their processes accordingly.