PolinRider

PolinRider is a DPRK-attributed, Lazarus-aligned supply chain threat actor/campaign targeting the open-source software ecosystem, especially GitHub repositories, developer workstations, and build pipelines. The content links PolinRider to the earlier TasksJacker activity and describes the campaign as merging the older TasksJacker and Contagious Interview clusters. OpenSourceMalware reported TasksJacker as a DPRK-linked operation active in early 2026 that compromised more than 400 GitHub repositories across dozens of organizations, while other referenced reporting describes PolinRider as implanting malware in hundreds of GitHub repositories and documenting activity across more than 1,900 public repositories. The actor’s tradecraft includes compromising repositories and inserting malicious .vscode/tasks.json files configured with "runOn": "folderOpen" so code executes when a developer opens a cloned repository in VS Code. The content states this technique was used for months by PolinRider / TasksJacker and as a fallback persistence layer behind npm-config-file injection. Reported npm/config-file injection targets included postcss.config.mjs, tailwind.config.js, next.config.mjs, and astro.config.mjs. The actor also used stolen credentials to execute fork-and-PR upstream injection attacks against popular projects, submitting benign-looking pull requests that actually modified build-time configuration files. One documented example is PR #206 against Egonex-AI/Understand-Anything, where malicious code was hidden in homepage/astro.config.mjs after long horizontal whitespace to evade GitHub diff review. The documented payload behavior includes restoring require in ES module context, beaconing to hardcoded C2 servers, exfiltrating a campaign marker, downloading and XOR-decrypting a bot client from a /$/boot endpoint, and evaluating additional payloads. The content also links PolinRider to multi-blockchain command-and-control infrastructure using TRON, Aptos, and Binance Smart Chain. In the PR #206 case, stage-two commands were resolved through a Tron-to-Aptos-to-BSC relay and decrypted before eval(). Separate reporting on TasksJacker describes a malware chain including a self-deleting bash dropper, obfuscated JavaScript loader, information stealer, and persistent backdoor, with theft of browser credentials, cryptocurrency wallet data, SSH keys, AWS credentials, environment variables, API keys, and Git credentials. The actor also used concealment and propagation techniques including spoofed commit metadata, backdated timestamps, force-push history rewriting, and automation artifacts such as temp_auto_push.bat and temp_interactive_push.bat. The content notes Windows-based workflow artifacts and states that PolinRider fingerprints included a decoder function, shuffle marker, seed, Tron dead drop, XOR keys, globals, propagation artifacts, and blockchain relay infrastructure. OpenSourceMalware further attributed related C2 infrastructure with high confidence to the GitHub account Polin9912 and assessed DPRK affiliation with medium-high confidence. Known associated names and clusters directly mentioned in the content include TasksJacker and Contagious Interview.