Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: go (2 articles)Clear

North Korea spreads 108 poisoned packages across npm, Go, and browser extensions

Socket detailed PolinRider, an active North Korean supply-chain campaign that has planted 108 malicious packages and a browser extension across the npm, Go, and Packagist ecosystems, expanding the developer-targeting activity behind this week's Rollup npm packages. Operators take over legitimate GitHub maintainer accounts, often via expired-domain or account-recovery abuse, then bulk-modify repositories and publish infected versions. To stay hidden, they rewrite Git history so malicious commits look old, pad one-line loaders with whitespace to push them off screen, and disguise payloads as font files. Some trigger automatically through VS Code task settings when a developer simply opens the project folder in an editor like VS Code or Cursor.

Check
Check whether your projects pulled any flagged PolinRider packages, and review repositories for rewritten Git history, whitespace-hidden code in config files, and VS Code tasks that run on folder open.
Affected
Developers across npm, Go, and Packagist who install from compromised maintainer accounts, especially anyone opening untrusted repositories in VS Code or Cursor; the loaders deliver stealers and remote-access malware.
Fix
Pin and verify dependencies, review repository activity logs and release metadata rather than trusting the file view, disable task auto-run on folder open, and rotate credentials if you installed an affected version.

Self-spreading Shai-Hulud worm hits more npm packages and reaches into Go

Socket reports a new wave of the self-spreading Shai-Hulud supply-chain worm, in its Miasma and Hades variants, that compromised more npm packages and, for the first time, reached the Go ecosystem. On June 24 attackers used a hijacked maintainer account to push trojanized versions of LeoPlatform and RStreams npm packages, tied to cloud and serverless workloads, and also poisoned a Go module from the Verana blockchain project. The malware harvests developer and CI/CD credentials, abuses GitHub Actions, and polls GitHub hourly for a marker commit to pull down its Hades payload. Researchers note the campaign keeps shifting ecosystems and indicators to stay ahead of detection rather than changing its core behavior.

Check
Check whether your projects or pipelines pulled affected LeoPlatform, RStreams, or related npm packages or the compromised Verana Go module, and review developer and CI/CD systems for credential theft.
Affected
Developers and CI/CD pipelines that installed the compromised npm packages or Go module; the worm steals cloud, registry, and GitHub credentials, then uses them to spread to more packages and repositories.
Fix
Remove affected versions, rotate developer, cloud, and CI/CD credentials, pin and verify dependencies, restrict install-time and build-time execution, and monitor for unexpected GitHub Actions activity and new exfiltration repositories.