Socket Tracks 108 Malicious Packages In PolinRider Supply-Chain Attack
Socket reported 162 malicious release artefacts across 108 packages in the PolinRider supply-chain campaign. The report names Go, Packagist and Chrome extension exposure but does not identify victim companies.

Socket reported that its analysts catalogued 162 malicious release artefacts across 108 packages in the PolinRider supply-chain attack, including activity in Go, Packagist, npm-linked infrastructure and a Chrome extension.
The evidence comes from Socket security telemetry, so the article treats the findings as vendor threat research rather than an independent incident filing.
Socket analysts said the campaign uses compromised maintainer accounts and hidden JavaScript loaders to place infected package versions in repositories that developers may trust.
Socket PolinRider Supply-Chain Attack Expands Across Go And Packagist
Socket analysts reported that they found compromise traces in 80 separate Go modules, in 10 Packagist packages and in a Chrome extension.
Socket identified the threat cluster as Contagious Interview, also known as Famous Chollima.
The report said the operation has moved beyond earlier npm registry activity into Go and PHP package environments.
In those ecosystems, trusted repository access can place malicious versions into enterprise deployment pipelines.
Hidden JavaScript Loaders Use VS Code Tasks And Fake Fonts
Socket analysts described a payload chain that hides JavaScript loaders inside project assets.
Attackers pad executable lines with excess whitespace or embed loader code inside fake .woff2 font files so the malicious code is harder to spot during normal review.
The report said execution depends on local developer tooling.
A modified .vscode/tasks.json file configures a background task that runs when an engineer opens a project folder, passing the fake font asset to Node.js before the developer compiles the application.
Blockchain RPC Networks Carry Encrypted Payloads
Socket analysts said the loader contacts public RPC infrastructure on TRON, BNB Smart Chain and Aptos to retrieve encrypted second-stage payloads.
The loader then uses embedded XOR keys and eval() execution to run the retrieved code.
The named secondary payloads include OmniStealer and DEV#POPPER.
According to the report, those tools can support arbitrary command execution, credential theft, browser data theft and cryptocurrency wallet exfiltration.
Packagist Cleanup Missed Configuration-File Payloads
The report said the campaign breached the sevenspan namespace managed by the 7span organisation.
Maintainers found anomalous .woff2 files and began partial cleanup, but Socket analysts said additional payload variants remained hidden in configuration files including vite.config.js and eslint.config.js.
Socket analysts also described account-level repository manipulation around the Xpos587 GitHub account.
The report said attackers used force pushes and anti-dated commits, while telemetry indicated they lacked the registry access needed to publish malicious Python versions to PyPI.
Socket Does Not Name Victim Companies
The report said poisoned packages can expose developer workstations and CI/CD environments because attackers prioritise authentication tokens and production infrastructure credentials.
It cited Kubernetes credentials as an example of the access that can give attackers administrative reach inside production systems.
Socket did not name affected companies, list confirmed downstream victims, publish remediation completion dates, identify every compromised maintainer account or disclose whether any enterprise build pipeline distributed infected proprietary software.
















