{"id":14054,"date":"2026-07-03T10:03:38","date_gmt":"2026-07-03T10:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/03\/north-korea-linked-hackers-hide-javascript-loaders-in-open-source-repositories\/"},"modified":"2026-07-03T10:03:38","modified_gmt":"2026-07-03T10:03:38","slug":"north-korea-linked-hackers-hide-javascript-loaders-in-open-source-repositories","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/03\/north-korea-linked-hackers-hide-javascript-loaders-in-open-source-repositories\/","title":{"rendered":"North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories"},"content":{"rendered":"<p>    North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A new wave of supply chain attacks is spreading across the open source world, and this time the target is developers themselves. <\/p>\n<p class=\"wp-block-paragraph\">Security researchers have uncovered a campaign called PolinRider that hides malicious JavaScript loaders inside trusted code repositories, waiting for unsuspecting developers to run them.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The campaign has been linked to North Korean threat actors tied to the broader Contagious Interview and Famous Chollima activity clusters. <\/p>\n<p class=\"wp-block-paragraph\">These groups are known for targeting <a href=\"https:\/\/cybersecuritynews.com\/fake-crowdstrike-job-offers\/\" id=\"88172\" target=\"_blank\" rel=\"noreferrer noopener\">software engineers with fake job offers<\/a> and infected coding tests, and PolinRider appears to be an extension of that playbook, only this time hidden inside legitimate looking packages.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">What makes PolinRider dangerous is its reach. It began on npm but has since spread into Packagist, Go modules, and even a Chrome extension, showing the attackers are not sticking to a single ecosystem.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Researchers from Socket.dev said the campaign has grown far larger than earlier reports suggested. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/socket.dev\/blog\/polinrider-north-korea-linked-supply-chain-campaign-expands?__cf_chl_f_tk=RY9I8HKD2zM6nI.B6T.xHMwN8teWtZIcTGyEK_U4GM8-1783060318-1.0.1.1-vIjyFnWe48yt3irlB09N0Qm5kZyNwQnBJf0xxnLiUoA\" id=\"https:\/\/socket.dev\/blog\/polinrider-north-korea-linked-supply-chain-campaign-expands?__cf_chl_f_tk=RY9I8HKD2zM6nI.B6T.xHMwN8teWtZIcTGyEK_U4GM8-1783060318-1.0.1.1-vIjyFnWe48yt3irlB09N0Qm5kZyNwQnBJf0xxnLiUoA\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Socket.dev said in a report<\/a> shared with Cyber Security News (CSN) that they identified 162 malicious release artifacts spread across 108 unique packages and extensions, including 80 compromised Go modules, 10 Packagist packages, and one Chrome extension.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The scale of this discovery shows how a single group can quietly poison multiple corners of the open source supply chain at once. Because the malicious code hides inside legitimate looking files, many developers may have installed it without realizing anything was wrong.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a><\/p>\n<h2 id=\"h-north-korea-linked-hackers-hide-javascript-loaders\" class=\"wp-block-heading\"><strong>North Korea-Linked Hackers Hide JavaScript Loaders<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The attackers behind PolinRider rely on a mix of old and new tricks to stay hidden. Earlier waves buried obfuscated JavaScript inside configuration files such as those ending in config.js, counting on developers not to scroll through every line of code.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">More recent versions disguise the <a href=\"https:\/\/cybersecuritynews.com\/huge-wave-of-malicious-efimer-malicious-script-attack-users\/\" id=\"120296\" target=\"_blank\" rel=\"noreferrer noopener\">malicious script as a fake dot woff2 font file<\/a>, a format most developers would never think to inspect. <\/p>\n<p class=\"wp-block-paragraph\">Execution is triggered quietly through Visual Studio Code task files, which can run automatically when a folder is opened.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhc1YJzB9JEMI8DeVyWMC1TqicgFWFB1AmT9iE9yZ4Ko8bH4DnD_6Kuxe1BcM-HxCGBwIPYnUNd0S0lEf5vzkc1LJwUVVCP-ro2j5s6ReNc1xMQkU5dFw_v8c8hSeZyFALOCed0gj9tztf0PKTbyhvmTkCDPPlBMWaV8yq_lgIPYYxIETwzavwFpyU29-4\/s1600\/The%2520Xpos587%2520repository%2520list%2520shows%2520multiple%2520unrelated%2520projects%2520updated%2520in%2520the%2520same%2520period%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\" alt=\"The Xpos587 repository list shows multiple unrelated projects updated in the same period (Source - Socket.dev)\"><figcaption class=\"wp-element-caption\">The Xpos587 repository list shows multiple unrelated projects updated in the same period (Source \u2013 Socket.dev)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Once active, the loader reaches out to blockchain and public RPC services, including TRON, Aptos, and BNB Smart Chain networks. <\/p>\n<p class=\"wp-block-paragraph\">It uses these connections to fetch an encrypted second stage payload, decrypt it with an embedded XOR key, and run it using the eval function.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The payloads observed so far include DEV#POPPER and OmniStealer, both capable of remote command execution, communicating with attacker servers through socket.io-client, and stealing credentials, browser data, and wallet information.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a><\/p>\n<h2 id=\"h-compromised-accounts-and-repository-manipulation\" class=\"wp-block-heading\"><strong>Compromised Accounts and Repository Manipulation<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">A major piece of this campaign centers on a GitHub account named Xpos587. Several repositories tied to this account were modified within the same narrow window on June 23 at 10:00 UTC, a pattern that lines up with account takeover rather than normal maintenance.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Two repositories connected to this account, Xpos587\/git2md and Xpos587\/markfetch, along with a separate project called Artiffusion-Inc\/mirofish, were found carrying the hidden loader. <\/p>\n<p class=\"wp-block-paragraph\">The markfetch repository used the fake font trick, while mirofish hid its payload inside a file called vite.config.js. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhQu5YWtHzhYdyZvoj-cTtJHS37f4Iblu9nk9yAIUEJNh0IVhrIsXTGVZz5ViNPw3RASn6haQfBOSecJoRcyTEfErWCbOXJ7ECZO7Eg0puRqL914HR3dypbP0f0dikQvcNN5Z99nmYGhkbI-htDcpu8wIB2FxXPHqekCvHMIwBc5q-IV2EMjS5blRWCQhU\/s1600\/GitHub%2520Activity%2520exposes%2520the%2520force%2520push%2520used%2520to%2520rewrite%2520repository%2520history%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\" alt=\"GitHub Activity exposes the force push used to rewrite repository history (Source - Socket.dev)\"><figcaption class=\"wp-element-caption\">GitHub Activity exposes the force push used to rewrite repository history (Source \u2013 Socket.dev)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">On Packagist, the campaign expanded through a namespace called sevenspan, tied to the 7span organization, with the 7span\/react-list package among those affected. <\/p>\n<p class=\"wp-block-paragraph\">Maintainers removed the fake font files once discovered, but <a href=\"https:\/\/cybersecuritynews.com\/remcos-rat-infection-chain-hides-behind-obfuscated\/\" id=\"146390\" target=\"_blank\" rel=\"noreferrer noopener\">obfuscated code hidden in configuration files remained untouched<\/a>, showing partial cleanup is not enough.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The attackers also used Git history rewriting, including force pushes and backdated commits, so tampered code appears older than it really is. <\/p>\n<p class=\"wp-block-paragraph\">Visible commit history on GitHub cannot be trusted alone, and defenders need to check activity logs directly.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Security teams should treat any environment running an affected package as compromised until proven otherwise. <\/p>\n<p class=\"wp-block-paragraph\">The company recommended preserving forensic evidence, rebuilding from known good lockfiles, and rotating exposed secrets from a clean machine rather than the infected one.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Additional guidance includes <a href=\"https:\/\/cybersecuritynews.com\/microsoft-vs-code-remote-ssh-extension-hacked\/\" id=\"122147\" target=\"_blank\" rel=\"noreferrer noopener\">auditing machines for VS Code tasks<\/a> set to run automatically on folder open, and reviewing repositories for suspicious changes to files like tasks.json, config.js, and vite.config.js.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>GitHub Account<\/td>\n<td>Xpos587<\/td>\n<td>Threat actor controlled account linked to bulk repository modification on June 23, 10:00 UTC\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td>Xpos587\/git2md<\/td>\n<td>Repository compromised as part of the PolinRider campaign\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td>Xpos587\/markfetch<\/td>\n<td>Repository hiding a fake .woff2 font file payload\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td>Artiffusion-Inc\/mirofish<\/td>\n<td>Repository hiding malicious code inside vite.config.js\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Packagist Namespace<\/td>\n<td>sevenspan<\/td>\n<td>Compromised namespace maintained by the 7span organization\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Organization<\/td>\n<td>7span<\/td>\n<td>Organization linked to compromised Packagist packages\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>GitHub Repository<\/td>\n<td>7span\/react-list<\/td>\n<td>Repository associated with malicious release activity\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td>vite.config.js<\/td>\n<td>Configuration file used to conceal obfuscated JavaScript loader\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File Type<\/td>\n<td>.woff2 (fake font file)<\/td>\n<td>Disguised payload format used to hide malicious loader code\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>VS Code Config<\/td>\n<td>.vscode\/tasks.json<\/td>\n<td>Task file abused with \u201crunOn\u201d: \u201cfolderOpen\u201d to trigger loader execution\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Malware Payload<\/td>\n<td>DEV#POPPER<\/td>\n<td>Second-stage payload delivering command execution and credential theft\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Malware Payload<\/td>\n<td>OmniStealer<\/td>\n<td>Second-stage payload targeting browser data and cryptocurrency wallets\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Infrastructure<\/td>\n<td>TRON, Aptos, BNB Smart Chain RPC services<\/td>\n<td>Blockchain infrastructure abused to retrieve encrypted payload material\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/90091dfb-7fba-401d-914a-123f76c7b884\/North-Korea-Linked-Hackers-Hide-JavaScript-Loaders-in-Open-Source-Repositories.pdf?AWSAccessKeyId=ASIA2F3EMEYE6AVWYB4J&amp;Signature=7geqPKMx4DO2%2FKLXbFJYi6WIJlU%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjED8aCXVzLWVhc3QtMSJIMEYCIQDcIt40EBTbToA7vDbUcD6QnECrFAW6iM7qwS%2FeV%2BbDDAIhALb2DBp0QaxRj07M%2Bi2gobEATjg2SXYIeoADk0gvK%2BitKvMECAgQARoMNjk5NzUzMzA5NzA1IgxCtyghTHSitNlsDQQq0AQVdgavdp6j6%2FkaS9pls7mhTr1ZyZg%2BbTf1hRRk0js0E0f2A9JKgp%2FfvAqTE4XrmfVjg9Hld6ONrXppzFxLZCva2As15Gm08Pbb0kP0fR%2FsPSiVsm62%2B5dPn9y10SMGxdJOM%2FWMoqucnN6or%2FfjIx8QJ%2FOly5IQgAMgiMj%2BBYSf1t7be7pO%2BDlrAQ0%2BV%2Bu6FWP1CeCoCAoOCT43EgByBoVhOdekqLdPNJj9njMftbLzHHmeTc3ELAO23aMdpAPF1aYCQurdKXDJ9HFrFbqG%2FdTmma55b50fyXkJMYVpMi6O2RayFLm2q9bXW%2BW4EMvLooGkWSr0gXYYx2POuE3zlvpLawlmjbXv%2FloFPTuXp1qb7eYcTHeWWbkyRmYbZ1rHWfJPB96Bn1QtREE5uD%2BC0W%2BYKPjR9CNjJAa11KTFQKu6Uv9pzgONNPeCCQVv9iLAGJoil0BNXeALgeqLGn0%2F3KBpLr9CdRkz2b1nU2UBZNEeyeonmgYvO7YBp7IeT%2F1NNy5UgfRHBrf7YmoPF70F%2Fb0M9eyGjXrjTxviSY2HSBifxUhbgqozoloLD2JBAWiVPTEHwBx7Xz2uAr2zmHRChS9LfuEgSudKHcGg6KhD40JV6UXuM0EiQ4%2BBvj8%2FiBy8VGUHXmKZWXr2w3rpBmen9Y01yvP2BUFf9Xz%2FTubncmossujq0u4%2FJ%2FI9cr4f1to%2FnBfk5kHQIGypXxjLFAweUgET98oQMbVN6Lrx1MG2MD75UrkrWTQ7KxTl2e1Vvq8IVBRmBbp6HXSATNpFdV9A4aPeMO%2BundIGOpcBSuNa22ZqIfHEmdOuQBkmm4cJd0a6mVybu2mQsZjz9JfK6fGlbK1b86Or7zvyHBLJtTOwdDQ7LlClBwEl4KGAjcMbAFQas1HAgA36tGJiEXAJfIOHkejQq7Sme8maN%2BPsl9eD7r%2FRwJWBGk%2FSqk2W%2FfmWs4ImpU%2FpQ%2BI5J7e8xqCsNfEG2N%2BnLnksqB5l9cqyUYTq5CBg0A%3D%3D&amp;Expires=1783063874\"><\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt;\u00a0<a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate ANY.RUN With Your SOC\u00a0<\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Now<\/a><\/strong>.<\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/north-korea-linked-hackers-hide-javascript-loaders\/\">North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/north-korea-linked-hackers-hide-javascript-loaders\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories A new wave of supply chain attacks is spreading across the open source world, and this time the target is developers themselves. Security researchers have uncovered a campaign called PolinRider that hides malicious JavaScript loaders inside trusted code repositories, waiting for unsuspecting developers to run [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-14054","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14054"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14054"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14054\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14054"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14054"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14054"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}