News
MARKET SIGNAL:

Socket Tracks 108 Malicious Packages In PolinRider Supply-Chain Attack

Newsroom brief

Socket reported 162 malicious release artefacts across 108 packages in the PolinRider supply-chain campaign. The report names Go, Packagist and Chrome extension exposure but does not identify victim companies.

Verified against source materialEdited by SendTech Times Cybersecurity Desk
Socket Tracks 108 Malicious Packages In PolinRider Supply-Chain Attack

Socket reported that its analysts catalogued 162 malicious release artefacts across 108 packages in the PolinRider supply-chain attack, including activity in Go, Packagist, npm-linked infrastructure and a Chrome extension.

The evidence comes from Socket security telemetry, so the article treats the findings as vendor threat research rather than an independent incident filing.

Socket analysts said the campaign uses compromised maintainer accounts and hidden JavaScript loaders to place infected package versions in repositories that developers may trust.

Socket PolinRider Supply-Chain Attack Expands Across Go And Packagist

Socket analysts reported that they found compromise traces in 80 separate Go modules, in 10 Packagist packages and in a Chrome extension.

Socket identified the threat cluster as Contagious Interview, also known as Famous Chollima.

The report said the operation has moved beyond earlier npm registry activity into Go and PHP package environments.

In those ecosystems, trusted repository access can place malicious versions into enterprise deployment pipelines.

Hidden JavaScript Loaders Use VS Code Tasks And Fake Fonts

Socket analysts described a payload chain that hides JavaScript loaders inside project assets.

Attackers pad executable lines with excess whitespace or embed loader code inside fake .woff2 font files so the malicious code is harder to spot during normal review.

The report said execution depends on local developer tooling.

A modified .vscode/tasks.json file configures a background task that runs when an engineer opens a project folder, passing the fake font asset to Node.js before the developer compiles the application.

Blockchain RPC Networks Carry Encrypted Payloads

Socket analysts said the loader contacts public RPC infrastructure on TRON, BNB Smart Chain and Aptos to retrieve encrypted second-stage payloads.

The loader then uses embedded XOR keys and eval() execution to run the retrieved code.

The named secondary payloads include OmniStealer and DEV#POPPER.

According to the report, those tools can support arbitrary command execution, credential theft, browser data theft and cryptocurrency wallet exfiltration.

Packagist Cleanup Missed Configuration-File Payloads

The report said the campaign breached the sevenspan namespace managed by the 7span organisation.

Maintainers found anomalous .woff2 files and began partial cleanup, but Socket analysts said additional payload variants remained hidden in configuration files including vite.config.js and eslint.config.js.

Socket analysts also described account-level repository manipulation around the Xpos587 GitHub account.

The report said attackers used force pushes and anti-dated commits, while telemetry indicated they lacked the registry access needed to publish malicious Python versions to PyPI.

Socket Does Not Name Victim Companies

The report said poisoned packages can expose developer workstations and CI/CD environments because attackers prioritise authentication tokens and production infrastructure credentials.

It cited Kubernetes credentials as an example of the access that can give attackers administrative reach inside production systems.

Socket did not name affected companies, list confirmed downstream victims, publish remediation completion dates, identify every compromised maintainer account or disclose whether any enterprise build pipeline distributed infected proprietary software.

Share this article
inXf

Related articles

More
AI Coding Push Turns Developers Into a Prime Cybersecurity Target
Cybersecurity

AI Coding Push Turns Developers Into a Prime Cybersecurity Target

A Japanese @IT analysis says attackers are increasingly targeting developers because AI coding tools, OSS, CI/CD pipelines and cloud services concentrate valuable credentials around them. The report highlights vulnerable AI-generated code, fake recruiting approaches, polluted open-source packages and GitHub Actions-style automation attacks. The practical warning is that companies need stronger identity, dependency and workflow controls rather than relying only on individual developer caution.

Cisco Unified CM Flaw Puts WebDialer Exposure Under Patch Pressure
Cybersecurity

Cisco Unified CM Flaw Puts WebDialer Exposure Under Patch Pressure

Cisco disclosed fixed-release guidance for a critical Unified Communications Manager flaw that can let attackers gain root privileges when WebDialer is enabled. Cisco PSIRT is aware of public proof-of-concept exploit code for CVE-2026-20230, though it has not found active exploitation or targeting. The immediate test is whether administrators patch Unified CM or disable WebDialer before proof-of-concept code turns into wider exposure.

Unit 42 Finds 13,229 Malicious URLs In AI Phantom-Domain Study
Cybersecurity

Unit 42 Finds 13,229 Malicious URLs In AI Phantom-Domain Study

Unit 42 said its phantom-squatting research generated 685,339 prompts across 913 brands and produced 2.1 million unique URLs, including 13,229 malicious URLs and about 250,000 unique phantom domains. The vendor research did not disclose the brand list, affected customer names or named domains tied to data loss.

AI-Built Ransomware Toolkit Turns EDR Evasion Into a Faster Cybercrime Workflow
Cybersecurity

AI-Built Ransomware Toolkit Turns EDR Evasion Into a Faster Cybercrime Workflow

A ransomware-focused threat actor adopted an AI-built toolkit for Active Directory discovery and endpoint detection and response evasion. Sophos found Cursor and Claude Opus agents assisted development, with close to 80 modules tested against more than 70 techniques. The practical question is whether defenders can shorten validation cycles as AI accelerates the move from offensive research to working malware components.

Smart TV Proxy SDKs Turn Free Apps Into a Hidden AI Scraping Supply Chain
Cybersecurity

Smart TV Proxy SDKs Turn Free Apps Into a Hidden AI Scraping Supply Chain

Bright Data's SDK has been reverse-engineered in research showing how free apps can turn consumer devices, including smart TVs, into residential proxy nodes for web-scraping traffic. The issue matters because AI data harvesting is increasing demand for residential IPs, while consent screens and background network behavior may not be clear to users or IT teams.

Union County Clues Point To $1 Million Kairos Data-Extortion Payment
Cybersecurity

Union County Clues Point To $1 Million Kairos Data-Extortion Payment

A Ransom-ISAC case study says Kairos took about $1 million after stealing files without encrypting systems. Clues point to Union County, Ohio, but the public record does not confirm the link or prove the data was deleted.

Keep Reading

More Stories

Latest
Digital Dubai Updates Data Manual For AI-Ready Government DataCapital & PolicyJul 5, 2026Digital Dubai Updates Data Manual For AI-Ready Government DataDubai Data and Statistics Establishment, part of Digital Dubai, has launched an updated Dubai Data Manual for government data governance, quality, sharing and compliance. The announcement links the manual to AI-ready public services, but does not disclose enforcement dates, penalties or adoption metrics for government entities.NYLIM Sees Tokenised Portfolios Beyond Stablecoin PaymentsFintech & Digital PaymentsJul 5, 2026NYLIM Sees Tokenised Portfolios Beyond Stablecoin PaymentsCoinDesk reported that New York Life Investment Management executive Thomas Sy sees tokenisation moving from stablecoin payments into personalised portfolios. The article cited $807 billion in NYLIM parent assets, $11 billion overseen by Sy’s team and missing infrastructure around collateral, clearing and prime brokerage.Microsoft Funds Frontier Company With $2.5 Billion For Enterprise AIAIJul 5, 2026Microsoft Funds Frontier Company With $2.5 Billion For Enterprise AIMicrosoft said it is putting $2.5 billion into Frontier Company, a new enterprise AI deployment unit with 6,000 specialists and early customers including Unilever and Novo Nordisk. Contract values, pricing and measured ROI remain undisclosed.Xiaomi Miloco 2.0 Connects Mijia Devices To Local Smart Home AI AgentAIJul 5, 2026Xiaomi Miloco 2.0 Connects Mijia Devices To Local Smart Home AI AgentZhidx reported that Xiaomi has released and open-sourced Xiaomi Miloco 2.0, a smart-home AI framework that connects Mijia devices, OpenClaw and household memory while keeping raw sensor data local and isolated from the agent.ASRock Rack Shows 1U Arm AGI Server Before CPU RampChips & SemiconductorsJul 5, 2026ASRock Rack Shows 1U Arm AGI Server Before CPU RampServeTheHome reported that ASRock Rack displayed a 1U4E1S-ARM server for Arm’s AGI CPU at Computex 2026, with one processor, 136 Neoverse V3 cores and PCIe Gen6 connectivity. The report did not list pricing, customer deployments or a commercial launch date for the 1U system.iPhone 18 Pro Leak Points To Qualcomm Modem Split And A20 Packaging ShiftChips & SemiconductorsJul 5, 2026iPhone 18 Pro Leak Points To Qualcomm Modem Split And A20 Packaging ShiftAppleInsider says prototype-stage Tata files point to a regional modem split for Apple's next Pro iPhone, with Qualcomm hardware in the United States model, Apple's modem elsewhere, and separate A20 Pro packaging and camera-sensor clues.DDSC Gets Vara Platform Access For UAE Dirham StablecoinFintech & Digital PaymentsJul 5, 2026DDSC Gets Vara Platform Access For UAE Dirham StablecoinIHC said DDSC, the UAE dirham-backed stablecoin developed with First Abu Dhabi Bank and Sirius International Holding, can move onto selected Vara-regulated platforms after a UAE Central Bank no-objection certificate. The statement did not name the exchanges or a retail launch date.Lightstorm Names 3,600km I-2SEA Cable On India-Singapore AI RouteTelco & ConnectivityJul 5, 2026Lightstorm Names 3,600km I-2SEA Cable On India-Singapore AI RouteLight Reading reported that Lightstorm is leading Microsoft, Singtel and Tata Communications in the 3,600km I-2SEA subsea cable, with fourth-quarter 2029 service planned for India, Malaysia and Singapore. Financing, pricing and signed customer commitments remain undisclosed.Godot Plans AI Code Contribution Ban As Pull Request Reviews StrainAIJul 5, 2026Godot Plans AI Code Contribution Ban As Pull Request Reviews StrainGodot maintainers are drafting stricter rules for AI-generated code after saying pull request review is being strained by contributors who may not understand their own submissions. The final policy text, release date and verification process remain undisclosed.Midjourney Seeks Studio AI Records Beyond Consumer-Facing ImagesCapital & PolicyJul 5, 2026Midjourney Seeks Studio AI Records Beyond Consumer-Facing ImagesMidjourney is asking a court to make Disney, Universal and Warner Bros. disclose more about their internal generative AI use in a copyright dispute. The court has not ruled on the latest request, and the filing does not identify specific internal studio models, datasets, contracts or licensing terms.Yann LeCun’s AMI Labs Raises $1bn For AI Beyond Language ModelsAIJul 5, 2026Yann LeCun’s AMI Labs Raises $1bn For AI Beyond Language ModelsYann LeCun told BBC that large language models are not a path to human-like or animal-like intelligence because they cannot deal with real-world data. His Paris-based AMI Labs has raised more than $1bn and is developing JEPA, but it has not named first industrial customers or deployment contracts.BackLite KSA Names 80-Screen Saudi Retail Media NetworkCapital & PolicyJul 5, 2026BackLite KSA Names 80-Screen Saudi Retail Media NetworkMultiply Media Group says BackLite KSA will run more than 80 digital screens across four Riyadh and Jeddah destinations with Cenomi Centers. The companies did not disclose contract value, advertiser commitments or screen installation dates.