PolinRider Campaign Jumps From GitHub Into Go and PHP Packages
North Korea-linked PolinRider campaign turned hijacked GitHub accounts into compromised Go modules and Packagist packages with no extra effort required.
PolinRider is a DPRK-linked supply-chain campaign tied to the Lazarus Group / Contagious Interview cluster, first identified earlier this year. Unlike the classic fake-interview or typosquatting playbook, attackers take over legitimate GitHub accounts and quietly inject obfuscated JavaScript loaders into repositories the maintainers already own. The payload hides in config files, fake .woff2 font files, and .vscode/tasks.json triggers, pulling the Lazarus stealer toolkit via blockchain dead-drops while a Windows script rewrites git history to mask the tampering.
Early reports found 675 compromised repos, later rising to 1,951 across 1,047 owners. The campaign has since spread into Packagist and Go registries: roughly 200 malicious release artifacts across 111 unique packages, including over 80 Go modules, 10 Packagist packages, several NPM libraries, and a couple of Chrome extensions. This expansion required no new sophistication — it's a direct consequence of how Go and Packagist resolve packages straight from git repositories, where repo access and publishing rights are effectively the same, with no separate token needed. NPM and PyPI, which host their own artifacts behind separate publish credentials, proved far more resistant.
The takeaway for engineers is clear: rendered git history can't be trusted, since force-pushes can backdate commits to look untouched. Defenders need to inspect repository activity logs, package release metadata, and config files directly rather than relying on the visible commit log. In repo-sourced ecosystems there's no pristine registry copy to diff against — the tampered repository is the published artifact itself.