Full Report
The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider. "The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts,
Analysis Summary
# Threat Actor: Contagious Interview (PolinRider)
## Attribution & Identity
- **Actor Identification:** North Korea-aligned threat actors (DPRK).
- **Aliases:** Associated with the **Contagious Interview** moniker and a specific cluster of activity titled **PolinRider**.
- **Known Associations:** Linked to the **TaskJacker** activity cluster.
## Activity Summary
The actor is currently engaged in an expansive supply chain campaign dubbed **PolinRider** (active through July 2026). This activity involves the publication of 162 malicious release artifacts across 108 unique packages and browser extensions. The campaign follows the "Contagious Interview" theme, where attackers pose as recruiters or technical collaborators to trick software developers into executing malicious code during "technical assessments."
## Tactics, Techniques & Procedures
- **Supply Chain Poisoning:** Publishing malicious packages to npm, Packagist, Go, and the Chrome Web Store.
- **Account Takeover:** Compromising maintainer accounts through expired domain takeovers or account recovery exploits.
- **Social Engineering:** Using LinkedIn, GitHub, and freelance sites with AI-generated profiles and elaborate front companies to lure developers (T1566).
- **History Manipulation:** Using Windows batch scripts and force pushes to rewrite Git history and anti-date commits, making malicious changes appear to be from the original author (T1564).
- **Automated Execution:** Utilizing malicious VS Code task files with `runOn: 'folderOpen'` to trigger code execution when a workspace is opened in IDEs like VS Code or Cursor.
- **Evasion:** Obfuscating JavaScript loaders using whitespace padding and concealing code within fake `.woff2` font files.
- **Multi-Stage Loading:** Payloads reach out to blockchain infrastructure (TRON, Aptos, BNB Smart Chain) to fetch encrypted second-stage payloads.
## Targeting
- **Sectors:** Cryptocurrency, Software Development, Financial Services.
- **Geography:** Global (targeting users on major platforms like GitHub and LinkedIn).
- **Victims:** Software developers, maintainers of open-source projects, and individuals in the crypto sector. Over 1,000 unique repository owners have been impacted.
## Tools & Infrastructure
- **Malware Families:**
- **BeaverTail:** JavaScript-based malware/loader.
- **DEV#POPPER:** Remote Access Trojan (RAT).
- **OmniStealer:** Credential and data stealer.
- **Infected Ecosystems:** npm (19 libraries), Composer (10 packages), Go (61 modules), Google Chrome (1 extension).
- **Infrastructure:** Blockchain-based services for C2/payload hosting (TRON, Aptos, BNB Smart Chain).
- **Targeted Config Files:** The malware specifically hunts for:
- `postcss.config.mjs`
- `tailwind.config.js`
- `eslint.config.mjs`
- `next.config.mjs`
- `babel.config.js`
- `app.js`
## Implications
This campaign represents a sophisticated evolution of DPRK social engineering. By shifting from simple phishing to multi-layered repository poisoning and Git history manipulation, the actors are capable of maintaining long-term persistence in the developer ecosystem. The integration of "PolinRider" and "TaskJacker" shows a highly automated approach to compromising dev environments, directly threatening the integrity of decentralized finance (DeFi) and the broader software supply chain.
## Mitigations
- **IDE Best Practices:** Disable "Automatic Tasks" in VS Code or ensure `task.runOn` is set to prompt for permission before execution.
- **Dependency Auditing:** Use tools like `npm audit` or Socket to identify known malicious packages or suspicious maintainer changes.
- **Verify Recruiters:** Authenticate recruiter profiles via secondary channels; be wary of "technical tests" that require downloading ZIP files or running local scripts.
- **Git Monitoring:** Implement branch protection rules and monitor for "force push" events on critical repositories.
- **Network Filtering:** Block or monitor connections to non-standard blockchain API endpoints from development environments.