The PolinRider campaign represents a highly automated software supply chain attack in which a threat actor—assessed to be DPRK-linked—leveraged a compromised developer environment to achieve large-scale propagation across GitHub repositories. The initial access vector was a trojanized Visual Studio Code extension, which, once installed, executed malicious logic within the developer’s local environment and abused legitimate GitHub authentication contexts already present on the system.
Rather than stealing credentials outright, the malware operated in-process with the developer’s existing GitHub session, enabling it to perform authenticated actions such as cloning repositories, modifying source code, and pushing commits back to origin. The payload systematically injected backdoored code into targeted repositories and leveraged GitHub workflows (including forks and commits) to propagate further—effectively behaving as a worm within the software development ecosystem.
The campaign demonstrated strong awareness of developer tooling and workflows, selectively modifying files in a way that minimized detection while ensuring execution in downstream environments. By embedding malicious logic directly into source code, the attacker established persistent supply chain footholds, allowing the payload to spread into CI/CD pipelines and downstream dependencies when infected repositories were reused or imported.