PolinRider Supply Chain Attack Hits 108 Packages

PolinRider supply chain attack

The PolinRider supply chain attack has been confirmed by Socket.dev, SecurityWeek and SC Media: a North Korea-linked actor has flooded four separate open-source ecosystems — npm, Packagist, Go modules and the Chrome Web Store — with 108 malicious packages designed to steal developer and cloud credentials.

What Happened

Researchers attribute the PolinRider supply chain attack to North Korean threat actors associated with Lazarus Group and APT37, tied to the long-running “Contagious Interview” operation that has spent years compromising developer environments to steal credentials and source code. The actor compromised legitimate maintainer accounts and repositories to publish at least 108 malicious packages across 162 release artifacts: 19 npm libraries, 10 Packagist/Composer packages, 61 Go modules, and 1 Chrome Web Store extension. Several npm packages were disguised as Tailwind CSS animation utilities — names like tailwindcss-style-animate, tailwind-mainanimation, and tailwind-autoanimation — chosen specifically to blend into a developer’s normal dependency list.

The malicious payload is an obfuscated JavaScript loader that reaches out to public blockchain RPC infrastructure to retrieve encrypted second-stage code — an “EtherHiding”-style technique that makes the campaign unusually resilient to takedown, since the command-and-control address lives on-chain rather than on a domain that can simply be seized. Once active, the payload performs credential theft, source-code exfiltration, and lateral movement into connected CI/CD and cloud environments.

Why It Matters

PolinRider is the 17th tracked supply-chain attack on developer tooling in DIESEC’s 2026 tracking arc — and the first attributed to North Korea rather than the TeamPCP/Mini-Shai-Hulud lineage responsible for most of the year’s prior campaigns (Trivy, Checkmarx, LiteLLM, SAP @cap-js, TanStack, and others). That matters beyond attribution trivia: it confirms that “compromise a maintainer account, flood the registry with disguised packages” is no longer one group’s signature move. It is now a proven, transferable playbook that any well-resourced actor can run independently.

For DACH organizations, the practical exposure is high by default: npm, Packagist and Go modules are standard tooling across virtually every modern development team, regardless of industry. The blockchain-based C2 channel also breaks the usual incident-response assumption that seizing or blocking a C2 domain neutralizes an infection — there is no domain to seize.

What You Should Do Now

  1. Immediate: Cross-check your package-lock.json, composer.lock and go.sum files against the published PolinRider indicator list (Socket.dev) for any of the 108 known-malicious packages, paying particular attention to Tailwind CSS animation-utility names.
  2. Verify: Audit CI/CD build-agent network logs for outbound connections to blockchain RPC endpoints or unusual public RPC providers — this is the strongest indicator of the loader technique in action.
  3. Mitigate: If any affected package was installed anywhere in your environment, rotate every credential reachable from that build or developer machine — npm/registry tokens, cloud access keys, SSH keys, CI/CD secrets — not just the package itself.
  4. Monitor: Enforce lockfile-integrity installs (npm ci, pinned Composer/Go module versions with checksum verification) going forward to prevent a silent malicious version bump from entering your build pipeline unnoticed.

DIESEC Perspective

What should concern DACH development teams most isn’t PolinRider specifically — it’s that a second, independent nation-state actor has now picked up the exact registry-flooding technique perfected by the TeamPCP lineage over the past six months. The technique itself has become the risk to defend against, not any single actor’s toolkit. And the blockchain-hosted C2 is a preview of how the next generation of these campaigns will be built to survive takedown.

Not sure whether any of PolinRider’s 108 packages made it into your dependency tree? Contact DIESEC for a rapid software supply chain exposure review.

Sources: Socket.dev | SecurityWeek
Published: 2026-07-10 | Category: Supply Chain Security | ~4 min read