ForumsGeneralPolinRider: Analyzing the Multi-Ecosystem Supply Chain Attack

PolinRider: Analyzing the Multi-Ecosystem Supply Chain Attack

MFA_Champion_Sasha 7/4/2026 USER

Just reviewed the latest intelligence on the 'PolinRider' campaign, and it looks like the threat actors behind the Contagious Interview operation have significantly scaled up their efforts. We're seeing 108 distinct malicious artifacts across npm, Packagist, Go, and even the Chrome Web Store.

What is particularly concerning here isn't just the volume, but the attack vector. They are moving beyond simple typosquatting and are actively compromising maintainer accounts. This allows them to inject malicious code into legitimate packages, bypassing standard reputation checks. The inclusion of Chrome extensions suggests they are targeting developer workspaces directly to steal session cookies or intercept traffic.

If you are managing dev environments, I strongly recommend auditing recent installs. We are currently scanning our internal registries for packages with unusually high entropy or recently added obfuscated scripts.

You can use the following snippet to flag packages installed in the last 24 hours in your node environment for manual review:

find node_modules -type f -mtime -1 -exec ls -l {} \;

Additionally, lock your dependency versions strictly and enable 2FA/MFA on all your registry accounts immediately.

How is everyone else handling the vetting process for browser extensions used by dev teams? Are you blocking the Chrome Web Store entirely, or do you have a specific allowlist?

RE
RedTeam_Carlos7/4/2026

We moved to an internal private npm registry last quarter. It was a hassle to set up, but it completely neutralizes this type of attack vector for us. If a package isn't in the allowlist, the build fails. I'd also recommend checking the package-lock. into git to ensure integrity across pipelines.

BU
BugBounty_Leo7/4/2026

The Chrome extension angle is terrifying. Most orgs focus on the CI/CD pipeline but forget that developers install extensions that have access to internal Git repos and Jira tickets. We're rolling out a policy to force 'Developer Mode' off and using GPO to block all extensions except a specific whitelist.

PR
Proxy_Admin_Nate7/4/2026

From a SOC perspective, we are hunting for the 'Contagious Interview' IoCs associated with this group. Watch for cmd.exe or powershell.exe spawning from unexpected child processes of your package managers (npm, composer).

DeviceProcessEvents
| where FileName in ("npm.cmd", "composer")
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe")

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/4/2026
Last Active7/4/2026
Replies3
Views186