A sophisticated, multi-platform supply chain campaign linked to North Korean threat actors has injected at least 108 malicious packages and browser extensions into four major software ecosystems. Researchers have dubbed this sustained operation PolinRider, marking a notable escalation from the group's previously known activities.
According to an analysis detailed in The Hacker News on July 4, the campaign spans the npm and Packagist package repositories, the Go modules ecosystem, and the Google Chrome Web Store. The malicious payloads leverage obfuscated JavaScript loaders and rogue VS Code tasks to execute unauthorized code on affected systems, a technical approach that embeds harmful behavior within seemingly routine development workflows.
This large-scale pollution of central package repositories represents a strategic shift from the group's earlier Contagious Interview campaign, which largely relied on social engineering targeting individuals. PolinRider signals a pivot toward poisoning shared development infrastructure, aiming to insert malicious code into countless downstream projects and applications automatically.
For developers and security teams, the campaign highlights a pervasive and insidious threat. The deliberate use of multiple programming languages and platforms, combined with obfuscation techniques, indicates a concerted effort to maximize impact and complicate defense. The use of VS Code tasks as a delivery vector is particularly concerning, as it targets the everyday tooling of developers.
Researchers emphasize that the operation is ongoing. The 108 identified artifacts represent just a snapshot, with threat actors expected to continue publishing new malicious packages. This continuous activity grants the attackers a persistent foothold within the global software supply chain for potential data theft or further deployment.
The inclusion of malicious Chrome extensions broadens the attack surface from build-time systems to end-user browsers, enabling surveillance, credential theft, and additional payload delivery. This comprehensive approach targets both the development pipeline and the final runtime environment.
This incident serves as a critical alert for the open-source community. Security experts advise developers to rigorously audit package updates, enforce strict dependency pinning, and verify the integrity of packages through checksum validation and signing verification. The attack underscores that the security of the software supply chain depends on both platform-level safeguards and vigilant development practices.
As the campaign persists, the cybersecurity community continues to track new indicators of compromise. The evolution from social engineering to a full-scale supply chain assault underscores a growing and concerning capability within this threat group.
一個與朝鮮威脅行為者相關、跨越多個平台的複雜供應鏈攻擊行動,已向四個主要軟件生態系統注入了至少 108 個惡意軟件包及瀏覽器擴展。研究人員將此持續性行動命名為 PolinRider,標誌著該組織已知活動的一次顯著升級。
根據 7 月 4 日《黑客新聞》報導的詳細分析,該行動橫跨 npm 和 Packagist 軟件包倉庫、Go 模組生態系統以及 Google Chrome 網上應用商店。惡意載荷利用混淆的 JavaScript 載入器及惡意的 VS Code 任務,在受影響系統上執行未經授權的代碼,這種技術方案將有害行為嵌入看似常規的開發工作流程中。
這種對中央軟件包倉庫的大規模污染,代表了該組織戰略上的轉變,有別於其早期主要依賴針對個人的社會工程的 Contagious Interview 行動。PolinRider 標誌著轉向投毒共享開發基礎設施,旨在自動將惡意代碼植入無數下游項目及應用程式。
對開發者和安全團隊而言,該行動凸顯了一種普遍且陰險的威脅。刻意使用多種編程語言和平台,結合混淆技術,旨在進行協調一致的努力以最大化影響力並複雜化防禦。將 VS Code 任務用作投遞載體尤其令人擔憂,因其直接針對開發者的日常工具。
研究人員強調,該行動仍在進行中。已識別的 108 個惡意產物僅是冰山一角,預期威脅行為者將繼續發佈新的惡意軟件包。這種持續性活動為攻擊者在全球軟件供應鏈中提供了持久據點,用於潛在的數據竊取或進一步部署。
包含惡意 Chrome 擴展,將攻擊面從構建時系統擴展到終端用戶瀏覽器,實現監控、憑證竊取以及額外載荷投遞。這種全面性的方法同時針對開發流程及最終運行時環境。
此事件為開源社區敲響了重要警鐘。安全專家建議開發者嚴格審計軟件包更新,實施嚴格的依賴版本鎖定,並透過校驗和驗證及簽章驗證來核實軟件包的完整性。此次攻擊強調,軟件供應鏈的安全取決於平台層級的防護措施以及警覺的開發實踐。
隨著該行動持續進行,網絡安全社群持續追蹤新的失陷指標。從社會工程演變為全面供應鏈攻擊,凸顯了此威脅組織日益增長且令人擔憂的能力。
