A new supply chain campaign known as PolinRider has compromised more than 100 legitimate open source packages and repositories. The operation, attributed to North Korean hackers, aims to deliver both a backdoor and an information stealer directly to software developers who integrate these packages into their projects.
The scope of the attack is significant, affecting a wide range of projects that rely on tainted open source code. SecurityWeek, which first reported the campaign, noted that the attackers have already tampered with over 100 packages, suggesting an active and broad-reaching operation that could impact numerous downstream users.
Technical analysis indicates the attackers likely used social engineering or credential theft to gain access to repository maintainer accounts. Once compromised, they injected malicious code into otherwise legitimate packages, creating a trojanized update pathway. The backdoor component provides remote access, while the stealer exfiltrates credentials, API keys, and other sensitive data during the development process.
As of now, no public patches or automated scanning tools have been released to identify all affected packages. Developers are advised to audit their dependencies against known indicators of compromise from the campaign, and to enable multi-factor authentication on package manager accounts to reduce the risk of future compromise.
The operation aligns with a broader trend of state-linked APT groups targeting the open source ecosystem. While attribution points to North Korean actors, no specific threat group name (such as Lazarus or Kimsuky) has been publicly associated with PolinRider at this time. The supply chain vector continues to pose an outsized risk given its potential for rapid downstream spread.