PolinRider DPRK Supply-Chain Campaign - Malicious npm and VS Code Artifacts Infect 1,900+ GitHub Repositories

PolinRider is a DPRK npm supply chain campaign attributed to the Lazarus Group and its financially motivated subgroup BlueNoroff. As of April 11, 2026 it had compromised 1,951 public GitHub repositories across 1,047 unique owners - a 2.9x increase in scope over five weeks. This advisory covers what happened, why it lands on the agentic-endpoint layer, and how to inventory and govern the editor artifacts and CLIs the campaign runs through across your fleet.

What happened

The PolinRider campaign begins with malicious npm packages that execute during the install or build phase. Rather than dropping a standalone binary, the payload injects heavily obfuscated JavaScript into legitimate config files - notably postcss.config.mjs and tailwind.config.js - by appending its code after the valid content. A reviewer scanning the top of the file sees a normal configuration; the attacker code sits below it. That single placement choice is why the campaign spread quietly across 1,951 repositories and 1,047 owners before the scope was measured.

To survive review, the actor also rewrites Git history to falsify commits and conceal the malicious changes, so the commit log a defender trusts no longer reflects what is on disk. Delivery is targeted as well as broad: PolinRider uses 'weaponized take-home templates' - fake coding assessments handed out in fraudulent job interviews - and two such projects compromised at least 88 developers. The intended victims are blockchain engineers, cryptocurrency developers, and AI researchers, consistent with North Korea's objective of stealing intellectual property and liquid assets to bypass sanctions.

The technique has already been borrowed: Mini Shai-Hulud later reused PolinRider's repository-injection trick, the same lifecycle-hook supply-chain pattern in the sibling Mini Shai-Hulud TanStack advisory and the earlier Shai-Hulud 2 npm worm. Because there is no single CVE to patch, remediation is operational: review config files for appended obfuscated JavaScript, verify commit history integrity independently of the visible log, and treat interview take-home projects as untrusted code - see fleet visibility.

Why this is an agentic-endpoint risk

PolinRider executes during npm install or build, on the same developer workstations where AI coding agents, IDE extensions, and CLIs already run. On a modern machine those installs are increasingly driven by an AI agent that scaffolds a project, adds a dependency, or runs a build - and the moment a tampered package is in the tree, the appended payload fires inside the agent's process with the agent's environment and reachable secrets. AI agents, MCP servers, extensions, and CLIs are part of the eight AI artifact types Anomity inventories per endpoint, adopted bottom-up the same way AI agents became the new shadow IT.

This exposure is hard to see from the controls you already run, because it lives in the AI artifact layer. The build looks legitimate to network tooling, the editor process looks legitimate to EDR, and DLP sees nothing at rest because the code is appended to a trusted config file like postcss.config.mjs and the falsified Git history hides the change. The question is not whether a package is patched - there is nothing to patch - it is which endpoints run the agents, extensions, and CLIs that install and build code, and what those artifacts do around an install. That is the boundary runtime governance holds, alongside the tools in the comparison.

How Anomity surfaces and governs it

With no version to roll forward and a falsified commit log, the durable control is to inventory the agents, extensions, and CLIs that drive installs and govern what they do. Anomity does that in three steps.

First, inventory. Anomity inventories AI agents, MCP servers, extensions, skills, plugins, secrets, hooks, and CLIs on every managed endpoint as part of the eight AI artifact types it tracks, then classifies them. It captures the editor and CLI surfaces across developer machines and CI-adjacent endpoints - including the VS Code artifacts and Node CLIs PolinRider's npm payload runs through - so you can find every place that can install or build a tampered package. Anomity collects metadata only, and secrets are redacted on the endpoint before anything leaves it.

Second, decide at the hook. On agents that expose a hook - for example the Claude Code PreToolUse event - Anomity evaluates each tool call against your policy and returns allow, deny, or log before it runs. An agent about to run an install or build that would fire PolinRider's appended payload, or write to a config file like tailwind.config.js, can be denied at the boundary - what runtime governance provides when there is no patch to wait for.

Third, keep the record. Anomity records the install-time and editor-config tampering PolinRider relies on, so a config file gaining appended code or a CLI running an install is logged against a queryable 90-day audit trail, and decisions route to SIEM, Slack, email, or Jira. When a campaign like PolinRider surfaces, you can answer which endpoints ran the affected installs and which config artifacts changed - from a record, not a falsified commit log. Anomity is SOC 2 Type II and complements your network controls, EDR, DLP, and GRC. See the audit trail and how it works.

You can't govern what you can't see.The Anomity principle

What to check across your fleet

• Review config files - especially postcss.config.mjs and tailwind.config.js - to their end for heavily obfuscated JavaScript appended after the valid content.
• Verify commit-history integrity independently of the visible log, since PolinRider rewrites Git history to falsify commits and conceal changes.
• Treat every interview take-home project as untrusted code: run installs and builds only in isolation, never on a machine holding production credentials - two weaponized templates compromised at least 88 developers.
• Inventory every endpoint and pipeline that runs AI coding agents, IDE extensions, and CLIs capable of npm install or build, focusing on blockchain, cryptocurrency, and AI-research teams PolinRider targets.
• Confirm install and build commands triggered by an agent are evaluated at a hook with allow/deny/log, so a tampered package's payload is stopped before it runs.
• Verify secrets reachable by an agent or CLI that runs installs are redacted on the endpoint and never centralized in plaintext.
• Verify every tool call and artifact change is written to a 90-day audit trail and routed to your SIEM, so you can answer scope when the next config-injection campaign lands.
• Cross-reference this inventory against the sibling Mini Shai-Hulud TanStack advisory, which reused PolinRider's repository-injection trick, to find endpoints exposed to more than one path.

PolinRider is a reminder that an everyday package install or build - increasingly driven by an AI agent or CLI - becomes an intellectual-property and credential-theft path the moment a dependency appends obfuscated code to a trusted config file and the Git log is rewritten to hide it. Review config files for appended JavaScript, verify commit integrity, treat take-home projects as untrusted, then inventory the agents, extensions, and CLIs your endpoints run and govern the tool calls those agents make at the hook. For the full picture, see the pillar guide on AI supply-chain attacks. To see Anomity govern the agent layer across your fleet, request early access.