A recent analysis has revealed that North Korean threat actors, associated with the Contagious Interview campaign, have published 108 unique malicious packages and web browser extensions. This activity is part of an ongoing operation known as PolinRider, which has been active since at least 2023.
Details of the Malicious Packages
The 162 malicious artifacts include 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. Security researcher Karlo Zanki from Socket noted that the campaign remains active, with new malicious packages likely to emerge as attackers compromise maintainer accounts and modify legitimate repositories.
Modus Operandi of the Attackers
The Contagious Interview campaign targets software developers and individuals in the cryptocurrency sector by using deceptive job recruitment tactics. Attackers impersonate recruiters on platforms like LinkedIn and GitHub, often creating fake companies and AI-generated profiles to gain trust and deliver malware.
Technical Aspects of the Attack
PolinRider was first identified by the OpenSourceMalware team in March 2026, which reported that the attackers implant malicious JavaScript payloads in public GitHub repositories. As of April 11, 2026, the campaign had compromised 1,951 public repositories linked to 1,047 unique owners. The malware is designed to append malicious code to specific configuration files and utilizes a Windows batch script to alter commit history, making it appear as if the changes were made by the original authors.
Recommendations for Affected Users
Users who have installed these malicious packages should treat their environments as compromised. It is advised to rotate any exposed secrets from a secure machine, remove the affected versions, and rebuild from a known good lockfile. Additionally, auditing developer workstations and repositories for any suspicious changes is crucial.
As the campaign continues to evolve, it is essential for developers and organizations to remain vigilant and monitor repository activity closely.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








