Full Report
A supply chain campaign attributed to a DPRK-linked threat actor, PolinRider, has resulted in the compromise of over 1,900 GitHub repositories through malicious npm packages, VS Code artifacts, and injected JavaScript payloads. The campaign leverages stealthy code injection an...
Analysis Summary
# Threat Actor: PolinRider
## Attribution & Identity
* **Primary Identifier:** PolinRider
* **Associated Groups:** DPRK-linked (North Korea); explicitly associated with the **Lazarus Group** (and its sub-clusters).
* **Identity:** A sophisticated state-sponsored actor known for targeting the software supply chain and developer environments.
## Activity Summary
The actor recently executed a massive supply chain campaign resulting in the compromise of over **1,900 GitHub repositories**. This operation utilized malicious npm packages and VS Code artifacts to deliver obfuscated JavaScript payloads. The campaign is characterized by its high volume and the use of blockchain networks for command-and-control (C2) resilience.
## Tactics, Techniques & Procedures
* **Initial Access:** Supply Chain Compromise (T1195) through trojanized npm packages and weaponized take-home coding templates.
* **Execution:**
* Execution via `curl | bash` commands embedded in `.vscode/tasks.json`.
* Malicious code triggered during `npm install` or build phases.
* **Persistence:**
* Injected JavaScript payloads into project configuration files (e.g., `postcss.config.mjs`, `tailwind.config.js`).
* Use of detached processes for long-term access.
* **Defense Evasion:**
* Heavy obfuscation of JavaScript payloads.
* Stealthy code injection (appending code after valid content).
* Hiding payloads within unconventional files like `.woff2` (font files).
* **Git History Manipulation:** Use of `temp_auto_push.bat` to rewrite commit history and force-push changes to hide malicious activity.
* **Command and Control:** Decentralized C2 infrastructure leveraging blockchain networks (TRON, Aptos, BSC) to host encrypted second-stage code.
## Targeting
* **Sectors:** Software Development, Blockchain, Information Technology.
* **Geography:** Global (targeting users of the npm ecosystem and GitHub).
* **Victims:** Developers, down-stream users of compromised GitHub repositories, and organizations using affected npm packages.
## Tools & Infrastructure
* **Malware Families:**
* **Beavertail:** A multi-stage backdoor and infostealer variant.
* **PolinRider:** Custom scripts for propagation and injection.
* **Infrastructure:**
* **Blockchain Networks:** hXXps[://]tronscan[.]org, Aptos, and Binance Smart Chain (BSC) for encrypted payload retrieval.
* **Repositories:** Malicious npm registry packages and GitHub repositories (over 1,900 affected).
* **Reference Repo:** hXXps[://]github[.]com/OpenSourceMalware/PolinRider (Research tracker).
## Implications
This campaign demonstrates an advanced shift in DPRK cyber strategy, moving from targeted social engineering to broad-scale automated supply chain poisoning. By leveraging blockchain as an immutable C2 layer and manipulating git histories, the actor has significantly increased the difficulty of detection and incident response. The goal appears to be multi-functional: credential theft (infostealing), persistent remote access, and resource hijacking.
## Mitigations
* **Registry Security:** Implement strict auditing of `package-lock.json` and `node_modules`. Use tools like `npm audit` or Socket.dev to check for known malicious packages.
* **VS Code Safety:** Disable "Automatic Tasks" in VS Code settings to prevent the execution of malicious `.vscode/tasks.json` files from untrusted repositories.
* **Code Review:** Implement mandatory peer reviews for all changes to configuration files (PostCSS, Tailwind, Vite) and binary assets (Fonts).
* **CI/CD Hardening:** Use "frozen locks" in build pipelines to prevent the dynamic fetching of unverified package versions.
* **Network Monitoring:** Monitor for unusual outbound traffic to public blockchain RPC nodes from developer workstations or build servers.