Published: · Region: Global · Category: cyber

ILLUSTRATIVE
North Korea-Linked Hackers Seed 108 Malicious Packages in Open-Source Repos, Targeting Devs Worldwide
Illustrative image, not from the reported incident. Photo via Wikimedia Commons / Wikipedia: North Korea and weapons of mass destruction

North Korea-Linked Hackers Seed 108 Malicious Packages in Open-Source Repos, Targeting Devs Worldwide

A North Korea-linked group has published 108 malicious packages and extensions across npm, Packagist, Go ecosystems and the Chrome Web Store, abusing developer trust to deliver remote access tools and data stealers. The campaign turns open-source supply chains into an attack surface for espionage, putting software engineers, enterprises and government networks in the firing line.

A North Korea-linked hacking outfit has quietly booby-trapped the software supply chain, publishing more than a hundred malicious components across widely used developer ecosystems and the Chrome Web Store in a campaign that again exposes how fragile trust is in the digital tools undergirding modern economies.

Security researchers report that the group, tracked as PolinRider, has released at least 108 malicious packages and extensions into key repositories, including npm for JavaScript, Packagist for PHP, Go module repositories and Google’s Chrome Web Store. The components hide obfuscated JavaScript loaders and abuse features such as Visual Studio Code auto-run tasks and blockchain-based services to fetch two main payloads: the DEV#POPPER remote access trojan and OmniStealer, a data theft tool.

The attack chain is designed to be as seamless — and invisible — as possible to the developers who install the tainted packages. Once a malicious library is included in a project or a compromised extension is added to a browser, background scripts can execute automatically, establishing contact with command-and-control servers and pulling down the full malware suite. From there, the operators can capture credentials, exfiltrate code and data, and in some cases hijack the development environment as a foothold into wider corporate or governmental networks.

For individual developers, many of whom treat open-source repositories as a trusted toolbox, the implications are personal and immediate. A single npm install or VS Code task could turn their workstation into an intelligence collection node for a foreign state, leaking source code, API keys or access tokens tied to cloud infrastructure. For small startups and contractors plugged into larger supply chains, the risk extends to customer environments that may never realize their exposure originated in a free package pulled from the internet.

At the enterprise and national level, this campaign underscores a hardening reality: software supply chains have become a preferred route for state-linked actors seeking persistence and scale. Targeting public package registries allows groups like PolinRider to cast a wide net, hitting developers in multiple countries and sectors with the same malicious artifacts. If even a fraction of those packages end up inside critical systems — from financial platforms to defense contractors — the payoff can be significant.

The attribution to a North Korea-linked cluster fits a broader pattern of Pyongyang’s cyber operations, which have spanned cryptocurrency theft, espionage and disruptive attacks as a way to offset sanctions and generate hard currency. By pivoting more deeply into developer-focused ecosystems, the operators are betting that overworked teams will struggle to vet every dependency in their stacks, especially when those packages appear to offer useful functionality.

The key insight is that in 2026, the front line of state-backed hacking often passes through the same tools developers use to do their day jobs. Security is no longer only about patching servers; it is about questioning whether the code you pulled from a public repo is, in effect, an unvetted foreign agent.

Signals to monitor now include how quickly npm, Packagist, Go maintainers and the Chrome Web Store identify and remove the malicious entries, whether additional clusters of tainted packages are discovered, and if any governments issue advisories tying observed intrusions to this campaign. Enterprises will be watching for indicators of compromise linked to DEV#POPPER and OmniStealer, while policymakers weigh whether new rules or liability frameworks are needed to harden the open-source infrastructure that underlies critical sectors.

Sources