North Korean cyber actors associated with the Contagious Interview campaign have escalated their activities by releasing 108 malicious packages and browser extensions across platforms such as npm, Packagist, Go, and Google Chrome. This operation, identified as PolinRider, underscores a persistent and evolving threat to software developers and cryptocurrency professionals.
Contagious Interview is a sophisticated campaign that leverages deceptive job recruitment tactics to infiltrate the systems of targeted individuals. By posing as recruiters or collaborators on platforms like LinkedIn and GitHub, these threat actors establish trust through elaborate front companies and AI-generated profiles. Their ultimate goal is to persuade victims to execute malicious code under the guise of job assessments or collaborative projects.
The PolinRider campaign, first detected in March 2026, involves the insertion of obfuscated JavaScript payloads into numerous public GitHub repositories. These payloads are designed to deploy variants of BeaverTail, a known JavaScript malware linked to Contagious Interview. As of April 2026, the campaign had compromised nearly 2,000 public GitHub repositories belonging to over 1,000 unique owners. Additionally, it has merged with another operation called TaskJacker, which introduces malicious Visual Studio Code (VS Code) task files into existing repositories. These tasks are configured to execute arbitrary code when the folder is opened in an IDE like VS Code.
Unlike traditional credential theft, the attackers in this campaign are believed to gain access by compromising maintainer accounts through methods such as expired domain takeovers or alternative account recovery processes. Once inside, the malware searches for specific configuration files—such as ‘postcss.config.mjs’ and ‘tailwind.config.js’—and appends malicious JavaScript code to them. To cover their tracks, the attackers employ scripts that modify the last commit, making it appear as if the changes were made by the original author.
The core strategy of the PolinRider campaign remains consistent: infiltrate legitimate repositories with obfuscated JavaScript loaders, conceal the malicious code through techniques like whitespace padding or embedding in fake font files, and trigger execution via developer tools such as VS Code task files. This approach highlights the attackers’ adaptability and their focus on exploiting the trust inherent in open-source development environments.
For software developers and organizations, this campaign serves as a stark reminder of the importance of vigilance in the open-source ecosystem. Regularly auditing dependencies, verifying the integrity of packages, and maintaining robust security practices are essential to mitigate the risks posed by such sophisticated supply chain attacks. As threat actors continue to refine their methods, the development community must remain proactive in identifying and addressing potential vulnerabilities.