PolinRider
PolinRider is a DPRK-attributed malware campaign centered on software supply-chain compromise of developer workflows and repositories. Reporting in the provided content links it to malicious pull requests, poisoned development branches, and repository-propagation activity, with overlap to TasksJacker-style abuse of VS Code tasks.json "runOn": "folderOpen" execution. The campaign has been associated with loader architectures that culminate in BeaverTail-related payloads and backdoor/infostealer behavior on developer machines.
Observed PolinRider tradecraft includes obfuscated JavaScript loaders hidden in build or configuration files such as astro.config.mjs and tailwind.js, often appended after large whitespace to evade casual diff review. In the documented GitHub PR #206 case against Egonex-AI/Understand-Anything, execution occurred whenever astro build, astro dev, or astro preview ran on the affected branch. The loader restored require in an ES module context, decoded internal symbols with a string-shuffle routine, planted campaign markers on the global object, beaconed hardcoded C2 infrastructure, exfiltrated a campaign marker via the Sec-V header, downloaded an encrypted bot client from /$/boot, XOR-decrypted it, and executed it with eval(). A separate stage resolved commands through a blockchain relay chain using Tron, with Aptos fallback, to recover a BSC transaction whose input contained an encrypted second-stage payload that was XOR-decrypted and eval-executed. The content notes that blocking the listed C2 IPs alone would not stop stage-two retrieval because public blockchain RPC nodes were used.
The same broader loader pattern was also observed in a malicious Packagist development version of the legitimate roberts/leads package, where obfuscated JavaScript appended to tailwind.js contacted TRON, Aptos, and BNB Smart Chain infrastructure, decrypted payloads with embedded XOR keys, and could spawn a detached hidden Node.js child process. Researchers assessed that incident as likely developer or repository compromise rather than a malicious package built from scratch. The campaign is also described as using repository propagation artifacts and Windows-based automation clues such as temp_auto_push.bat, temp_interactive_push.bat, and related branch-push tooling.
PolinRider is further tied in the content to large-scale developer targeting through malicious repository modifications and persistence mechanisms. The referenced playbook includes unauthorized .vscode/tasks.json files with "runOn": "folderOpen" for code execution when a repository is opened, and the content states this technique had been used across more than 1,900 public repositories. Related reporting cited in the content connects PolinRider to Glassworm and to DPRK/Lazarus-aligned supply-chain activity targeting developers.
High-confidence infrastructure and indicators mentioned in the content include C2 IPs 166.88.54.158, 198.105.127.210, and 23.27.202.27:27017; Tron wallet/address TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and also TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG in related loader reporting; Aptos identifiers 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e and 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3; XOR keys ThZG+0jfXE6VAGOJ, 2[gWfGj;<:-93Z^C, and m6:tTh^D)cBz?NM]; campaign markers including global['!'] and values such as 9-0264-2 / A9-0264-2; and suspicious artifacts including temp_auto_push.bat, temp_interactive_push.bat, and unauthorized tasks.json folderOpen execution. Targeting in the provided content is focused on developers, open-source repositories, build pipelines, and CI/development environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
OpenSourceMalware’s PolinRider reporting describes the same loader architecture as culminating in a DPRK BeaverTail variant and repository-propagation backdoor/infostealer behavior.
It's a direct lift from the PolinRider / TasksJacker playbook that has been running on developer machines since late 2025.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
The technique is .vscode/tasks.json with "runOn": "folderOpen" ... For trusted workspaces, that happens silently, before any code review ... Drop a tasks.json like that into a repository, get a developer to open the repository in VS Code, and you have remote code execution on their machine.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
homepage/astro.config.mjs : inserts createRequire preamble and a large obfuscated payload... The payload in astro.config.mjs is appended after several hundred characters of horizontal whitespace on the same line as the closing }); . GitHub’s diff renderer treats that line as complete.
Command and Control
3 techniques
Command and Control
It issues an HTTP GET to /$/boot with a spoofed Chrome 131 desktop User-Agent. The Sec-V header exfiltrates the marker value...
The payload beacons one of three hardcoded C2 servers, exfiltrates a campaign marker, XOR-decrypts and evaluates a downloaded bot client... It issues an HTTP GET to /$/boot... The C2 response at /$/boot becomes the live bot client.
Stage A runs concurrently with Stage B. It resolves a second-stage command through a three-chain relay... The attacker updates the active payload by sending one new BSC transaction from a wallet they control. No DNS record changes, no IP address updates, no server restarts.
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a named malware or campaign associated with a supply chain attack using blockchain C2, but the provided content does not include further technical details.
A DPRK-attributed supply-chain malware/loader campaign that hides in developer workflows and build/config files. In this case it executes from astro.config.mjs during Astro build/dev/preview, beacons hardcoded C2 servers, exfiltrates a campaign marker, XOR-decrypts and evals a downloaded bot client, and separately retrieves a second-stage JavaScript command via a Tron → Aptos → BSC blockchain relay.
A named loader architecture/reporting label associated with the same blockchain dead-drop delivery pattern leading to BeaverTail-family malware.
A malware campaign/family active since late 2025 that abuses VS Code .vscode/tasks.json with runOn: folderOpen as a persistence and execution mechanism on developer machines, including fallback persistence behind npm-config-file injection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.