North Korean threat actors associated with the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning NPM, Packagist, Go, and Google Chrome as part of an ongoing activity. polinrider.
“The campaign is active, and new malicious packages are likely to emerge as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they maintain or gain registry access,” Socket Security researcher Carlo Zanci said in an analysis published this week.
The 162 malicious release artifacts include multiple release versions corresponding to 108 unique packages and extensions, including 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension.
Infectious Interviews is the nickname assigned to a North Korea-aligned campaign that weaponizes job recruitment to target software developers and individuals working in cryptocurrency sectors, using motivational job interviews and assessments to trick them into executing malicious code.
This activity is considered active through at least 2023. Attackers pose as recruiters or collaborators on platforms like LinkedIn, GitHub or freelance websites, often setting up elaborate front companies and AI-generated employee profiles to build trust and ultimately distribute malware.
PollinRider was first flagged by the OpenSourceMalware team in March 2026, in which it was described as involving threat actors implanting malicious obfuscated JavaScript payloads into hundreds of public GitHub repositories belonging to multiple unique owners to deliver a new version of Beavertail, a known JavaScript malware associated with infectious viruses.
As of April 11, 2026, the activity has compromised 1,951 public GitHub repositories belonging to 1,047 unique owners, while merging with another cluster called TaskJacker that drops malicious VS Code task files into GitHub users’ existing repositories. VS Code functions include the “runOn: ‘folderOpen'” option, which triggers the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or at a cursor.
“The threat actor is not using stolen GitHub credentials,” OpenSourceMalware said. “Instead, victims have been compromised via malicious VS Code extensions or NPM packages.” It is believed that the attackers are taking over maintainer accounts to carry out this scheme, possibly through expired domain takeover or some other account recovery path.
Once executed, the malware searches the infected computer for certain files such as “postcss.config.mjs,” “tailwind.config.js,” “eslint.config.mjs,” Next.config.mjs,” babel.config.js,” and “app.js” and, if found, appends malicious JavaScript code to them.
It also uses Windows batch scripts to secretly modify final commits while making them appear as if they were created by the original author. It is suspected that similar tools are being used to rewrite Git history for other operating systems like Linux and macOS.
“The core tradecraft has remained consistent throughout the campaign: threat actors plant obfuscated JavaScript loaders in legitimate repositories, hide code via whitespace padding or fake .woff2 font files, and trigger execution via developer tooling such as VS Code task files,” Sockett said.
In the latest wave, the payload acts as a JavaScript malware loader that accesses blockchain infrastructure, including TRON, Aptos, and BNB smart chain services, to fetch an encrypted second-stage payload that unpacks the DEV#POPPER RAT and OmniStealer. This attack chain was detailed by eSentire in March 2026.
“Threat actors use Git history rewriting, including force pushing and anti-dated commits, to make malicious changes appear older and less suspicious,” Zanki said. “This makes GitHub landing pages and visible commit history unreliable indicators of compromise; defenders should review repository activity logs, package release metadata, VS Code job configurations, and suspicious changes to configuration files.”
The development came after JFrog exposed a group of NPM packages linked to Infectious Interviews, some of which were presented as rollup polyfill tools to enable remote access and data theft. Earlier this week, another set of NPM packages and Go packages were identified as containing VS Code auto-run tasks to run JavaScript payloads disguised as fake font files, indicating strategic overlap between Fake Fonts, TaskJacker, and PollinRider.
Users who installed these packages should compromise the environment, flush the exposed secrets from a clean machine, delete the affected volumes and rebuild from a known good lockfile, and audit the developer workstation and repository for hidden execution paths or suspicious commits that modified the “.vscode/tasks.json,” “config.js,” “vite.config.js,” and “eslint.config.js” files.