A malicious PR against Egonex-AI/Understand-Anything hid an obfuscated loader inside `homepage/astro.config.mjs`, causing `astro build`, `astro dev`, or `astro preview` to execute the payload on developer and CI systems. The loader restored `require` in an ESM config, beaconed to hardcoded HTTP C2 hosts, decrypted and evaluated a bot client, and independently resolved second-stage JavaScript through a TRON-to-Aptos-to-BSC blockchain dead-drop relay. SafeDep linked the payload to DPRK-attributed PolinRider based on matching cryptographic and infrastructure fingerprints, including the Tron dead drop, XOR key, decoder markers, and propagation artifacts. The attack expands PolinRider's developer-focused supply-chain activity into an upstream PR-review vector designed to hide malicious build-time code in horizontal whitespace.