Socket detailed PolinRider, an active North Korean supply-chain campaign that has planted 108 malicious packages and a browser extension across the npm, Go, and Packagist ecosystems, expanding the developer-targeting activity behind this week's Rollup npm packages. Operators take over legitimate GitHub maintainer accounts, often via expired-domain or account-recovery abuse, then bulk-modify repositories and publish infected versions. To stay hidden, they rewrite Git history so malicious commits look old, pad one-line loaders with whitespace to push them off screen, and disguise payloads as font files. Some trigger automatically through VS Code task settings when a developer simply opens the project folder in an editor like VS Code or Cursor.
Socket reports a new wave of the self-spreading Shai-Hulud supply-chain worm, in its Miasma and Hades variants, that compromised more npm packages and, for the first time, reached the Go ecosystem. On June 24 attackers used a hijacked maintainer account to push trojanized versions of LeoPlatform and RStreams npm packages, tied to cloud and serverless workloads, and also poisoned a Go module from the Verana blockchain project. The malware harvests developer and CI/CD credentials, abuses GitHub Actions, and polls GitHub hourly for a marker commit to pull down its Hades payload. Researchers note the campaign keeps shifting ecosystems and indicators to stay ahead of detection rather than changing its core behavior.