North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories
A new wave of supply chain attacks is spreading across the open source world, and this time the target is developers themselves.
Security researchers have uncovered a campaign called PolinRider that hides malicious JavaScript loaders inside trusted code repositories, waiting for unsuspecting developers to run them.
The campaign has been linked to North Korean threat actors tied to the broader Contagious Interview and Famous Chollima activity clusters.
These groups are known for targeting software engineers with fake job offers and infected coding tests, and PolinRider appears to be an extension of that playbook, only this time hidden inside legitimate looking packages.
What makes PolinRider dangerous is its reach. It began on npm but has since spread into Packagist, Go modules, and even a Chrome extension, showing the attackers are not sticking to a single ecosystem.
Researchers from Socket.dev said the campaign has grown far larger than earlier reports suggested.
Socket.dev said in a report shared with Cyber Security News (CSN) that they identified 162 malicious release artifacts spread across 108 unique packages and extensions, including 80 compromised Go modules, 10 Packagist packages, and one Chrome extension.
The scale of this discovery shows how a single group can quietly poison multiple corners of the open source supply chain at once. Because the malicious code hides inside legitimate looking files, many developers may have installed it without realizing anything was wrong.
North Korea-Linked Hackers Hide JavaScript Loaders
The attackers behind PolinRider rely on a mix of old and new tricks to stay hidden. Earlier waves buried obfuscated JavaScript inside configuration files such as those ending in config.js, counting on developers not to scroll through every line of code.
More recent versions disguise the malicious script as a fake dot woff2 font file, a format most developers would never think to inspect.
Execution is triggered quietly through Visual Studio Code task files, which can run automatically when a folder is opened.

Once active, the loader reaches out to blockchain and public RPC services, including TRON, Aptos, and BNB Smart Chain networks.
It uses these connections to fetch an encrypted second stage payload, decrypt it with an embedded XOR key, and run it using the eval function.
The payloads observed so far include DEV#POPPER and OmniStealer, both capable of remote command execution, communicating with attacker servers through socket.io-client, and stealing credentials, browser data, and wallet information.
Compromised Accounts and Repository Manipulation
A major piece of this campaign centers on a GitHub account named Xpos587. Several repositories tied to this account were modified within the same narrow window on June 23 at 10:00 UTC, a pattern that lines up with account takeover rather than normal maintenance.
Two repositories connected to this account, Xpos587/git2md and Xpos587/markfetch, along with a separate project called Artiffusion-Inc/mirofish, were found carrying the hidden loader.
The markfetch repository used the fake font trick, while mirofish hid its payload inside a file called vite.config.js.

On Packagist, the campaign expanded through a namespace called sevenspan, tied to the 7span organization, with the 7span/react-list package among those affected.
Maintainers removed the fake font files once discovered, but obfuscated code hidden in configuration files remained untouched, showing partial cleanup is not enough.
The attackers also used Git history rewriting, including force pushes and backdated commits, so tampered code appears older than it really is.
Visible commit history on GitHub cannot be trusted alone, and defenders need to check activity logs directly.
Security teams should treat any environment running an affected package as compromised until proven otherwise.
The company recommended preserving forensic evidence, rebuilding from known good lockfiles, and rotating exposed secrets from a clean machine rather than the infected one.
Additional guidance includes auditing machines for VS Code tasks set to run automatically on folder open, and reviewing repositories for suspicious changes to files like tasks.json, config.js, and vite.config.js.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news