North Korean campaign publishes malicious packages
🛡️ Researchers observed North Korea–linked actors behind the Contagious Interview campaign publish 108 unique malicious packages and extensions across npm, Packagist, Go, and Chrome under an operation dubbed PolinRider. The releases include obfuscated JavaScript loaders that append code to common project config files and leverage VS Code task auto-run behavior to execute payloads. Attackers appear to acquire or retain registry and maintainer access via repository compromises, domain takeovers, or malicious dependencies. The campaign has been active since at least 2023 and continues to deliver RATs and stealers through multi-stage blockchain-backed payload delivery.