OpenSourceMalware attributes the PolinRider campaign to DPRK activity and says the actor implanted obfuscated JavaScript payloads in 675 public GitHub repositories across 352 owners by March 8, 2026. The injected code was appended after legitimate content in common developer configuration files such as postcss.config.mjs, tailwind.config.js, eslint.config.mjs, and next.config.mjs, with the source assessing a compromised npm package or VS Code-related workflow as the likely infection path. The payload chain is described as a DPRK BeaverTail variant that steals credentials and cryptocurrency, installs a RAT, and uses blockchain transactions on TRON, Aptos, and BSC as dead-drop C2 material. The campaign also used tooling such as temp_auto_push.bat to amend and force-push git history while preserving commit metadata, making malicious repository changes harder to notice during routine review.