Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: north-korea (5 articles)Clear

North Korea spreads 108 poisoned packages across npm, Go, and browser extensions

Socket detailed PolinRider, an active North Korean supply-chain campaign that has planted 108 malicious packages and a browser extension across the npm, Go, and Packagist ecosystems, expanding the developer-targeting activity behind this week's Rollup npm packages. Operators take over legitimate GitHub maintainer accounts, often via expired-domain or account-recovery abuse, then bulk-modify repositories and publish infected versions. To stay hidden, they rewrite Git history so malicious commits look old, pad one-line loaders with whitespace to push them off screen, and disguise payloads as font files. Some trigger automatically through VS Code task settings when a developer simply opens the project folder in an editor like VS Code or Cursor.

Check
Check whether your projects pulled any flagged PolinRider packages, and review repositories for rewritten Git history, whitespace-hidden code in config files, and VS Code tasks that run on folder open.
Affected
Developers across npm, Go, and Packagist who install from compromised maintainer accounts, especially anyone opening untrusted repositories in VS Code or Cursor; the loaders deliver stealers and remote-access malware.
Fix
Pin and verify dependencies, review repository activity logs and release metadata rather than trusting the file view, disable task auto-run on folder open, and rotate credentials if you installed an affected version.

North Korea hides malware in fake Rollup npm packages to steal developer secrets

JFrog found a new set of malicious npm packages, linked to North Korea, that impersonate legitimate Rollup polyfill tooling closely enough to pass a quick dependency review, down to matching names and metadata. Installing them pulls in hidden second-stage packages disguised as SVG utilities, which fetch and run a JavaScript payload while checking that they are not in a sandbox or cloud build. The malware hunts for developer secrets, and notably targets the configuration and history of AI coding tools like Cursor alongside AWS, Azure, SSH, and npm credentials. Because build plugins run on developer machines and in CI, a single poisoned dependency can expose source code, tokens, and cloud keys.

Check
Check whether any projects or build pipelines pulled the flagged Rollup-lookalike npm packages, and review developer machines and CI for exposed npm tokens, cloud keys, SSH keys, and AI coding tool configurations.
Affected
Developers and CI pipelines that installed the lookalike Rollup polyfill packages; the malware steals npm tokens, cloud and SSH credentials, source code, and secrets from AI coding tool configurations on the machine.
Fix
Pin and verify dependencies and scrutinize lookalike package names before installing, keep secrets out of developer and CI environments where possible, rotate any exposed credentials, and monitor for suspicious install-time network activity.

North Korea's ScarCruft uses fake Microsoft alerts to plant NarwhalRAT spyware

South Korea's Genians Security Center reports that the North Korean group ScarCruft (APT37) is sending spear-phishing emails dressed up as Microsoft Account security alerts to deliver a Python-based spy tool called NarwhalRAT. The emails warn of suspicious one-time-code activity and urge the recipient to open an attached advisory, which is actually a ZIP holding a malicious shortcut. Opening it kicks off a multi-stage, in-memory infection that leaves little on disk and gains persistence through a scheduled task. NarwhalRAT can log keystrokes, capture screenshots, record audio, and steal files from USB drives, and it disguises itself as the Korean browser Naver Whale while targeting South Korean users.

Check
Train staff to treat unexpected Microsoft account-security or OTP-alert emails with caution, verify the real sender domain, and never open attached archives or shortcut files from such messages.
Affected
Targets of North Korean espionage, with this campaign focused on South Korean users; victims are lured by fake Microsoft account-security emails carrying a ZIP with a malicious shortcut file.
Fix
Block or quarantine inbound archives containing shortcut files, enforce phishing-resistant MFA so OTP-themed lures lose value, and alert on scheduled tasks that launch scripts fetching payloads into memory.

North Korean hackers poison npm packages to hit developers and steal crypto

The North Korean campaign known as Contagious Interview is still expanding its assault on software developers, now leaning on poisoned developer tools and fake job offers. Researchers at Proofpoint and Expel describe obfuscated malicious npm packages, published from throwaway accounts, that install the OtterCookie infostealer through a post-install script, alongside recruitment and code-review phishing lures. The group is using generative AI to build its malware loaders and to set up fake companies and LinkedIn profiles for social engineering. Expel says the operation stole $12 million in cryptocurrency in the first three months of 2026, draining more than 26,000 wallets from over 2,700 infected developer machines.

Check
Audit developer machines and CI pipelines for recently installed npm packages with post-install scripts from unfamiliar publishers, and review whether staff engaged with unsolicited recruiters or take-home coding tests.
Affected
Software developers, especially in cryptocurrency, Web3, and blockchain, targeted through malicious npm packages and fake job interviews; their machines, wallets, and source code are the goal.
Fix
Vet dependencies before installing, block install-time scripts in CI, isolate untrusted coding tests in disposable sandboxes, and train developers to treat unsolicited recruiter outreach and test assignments as suspect.

Axios npm attack attributed to North Korean hackers UNC1069 - part of broader campaign targeting open-source maintainers

The Axios supply chain attack we covered on March 31 has now been attributed to UNC1069, a North Korean threat group linked to BlueNoroff that specializes in financially motivated attacks against crypto exchanges and financial institutions. Google's Mandiant confirmed the attackers social-engineered the lead maintainer through a fake video call, deploying a RAT via the compromised npm account. Socket warns this wasn't a one-off - the same actors have compromised accounts spanning some of the most widely depended-upon packages in the npm registry.

Check
Re-check your environments for axios 1.14.1 or 0.30.4. If you found and removed them previously, verify credential rotation was completed.
Affected
axios 1.14.1 and 0.30.4 on npm. Socket warns additional high-trust npm packages may be compromised by the same actor - monitor for advisories.
Fix
Pin to axios 1.14.0 or 0.30.3. Rotate all credentials on any system that ran the poisoned versions. Block sfrclak[.]com and 142.11.206.73 on port 8000. Enforce OIDC-backed provenance verification for critical npm dependencies.