New campaign by North Korea-linked hackers is targeting developers: Header image
Emerging Threats 7 min read

New campaign by North Korea-linked hackers is targeting developers

Published:Jul 17, 2026

From fake interviews to Web3 blockchain heists to stealers, it’s no secret that Mac developers are being increasingly targeted by cybercriminals. Now, as a new report claiming that North Korean hackers have modified hundreds of open-source repositories emerges, we talk to Ankit Kumar Honey, Senior Engineering Manager at GitHub.

Our focus? How Mac developers can build DevSecOps pipelines. 

Socket says North Korean hackers modified hundreds of open-source resources, again

Recently, Socket reported that the North Korean-linked PolinRider supply chain campaign has expanded significantly. Threat actors associated with the broader Contagious Interview/Famous Chollima activity cluster (known for having advanced technical skills) have moved beyond npm resources. 

PolinRider has released 162 malicious artifacts across 106 unique packages, including compromise traces in 80 Go modules, 10 Packagist packages, and one Chrome extension, the Socket report reads.

A screenshot of the malware analysis found on the PolinRider Socket report.
The full IoCs and details of the affected packages, including malware analysis, can be found on the PolinRider Socket report. Image: Screenshot, Moonlock.

Socket warns that this campaign is active and that new malicious packages are likely to emerge as bad actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access.

The technique remains the same and includes implanting obfuscated JavaScript loaders in legitimate repositories, concealing the code through whitespace padding or fake .woff2 font files, and triggering execution through developer tooling such as VS Code task files. 

The threat actors use Git history rewriting, including force pushes and anti-dated commits, to make malicious changes appear older and less suspicious, Socket said. 

“This makes the GitHub landing page and visible commit history unreliable indicators of compromise,” they added.  

Ankit Kumar Honey, Senior Engineering Manager at GitHub, leads the Dependabot team within the Supply Chain Security organization. With experience in building defenses for 180M+ developers and tracking advanced persistent threats targeting software development environments, we talk to Honey to understand what’s at stake and how to work around it. 

Who is being targeted, and is this strictly for the money?

Our first question for Honey: who exactly is being targeted here?

“The campaign targets individuals and businesses,” said Honey. “The first target is the single developer that serves as an entry point and is used to breach the bigger target, which is the enterprise.” 

Honey explained that often, state-sponsored groups will masquerade as recruiters, with a particular interest in software engineers working in Web3 and decentralized finance (DeFi). 

“Attackers can easily compromise their credentials and pivot directly into the broader enterprise’s corporate network and source code repositories by attacking a developer to run malicious code on their local machine,” he said.

Attackers can easily compromise their credentials and pivot directly into the broader enterprise’s corporate network and source code repositories.

Ankit Kumar Honey, Senior Engineering Manager at GitHub

Besides hacking Mac users with fake Zoom interviews and using malware to target crypto businesses, threat actors linked to North Korea have gone after open-source repositories before. 

On April 10, we reported on a North Korean Axios hack which, unlike this one, targeted a single source repository. However, because that single package was the official Axios package, downloaded by 100 million weekly users, the number of users it affected was reported as broad. 

In this new threat campaign, PolinRider takes another approach, modifying open-source ecosystems in bulk—hundreds of them. Is this an escalation of the group’s usual activities, and is this strictly for the money?

“The immediate aim seems to be financial, especially to steal cryptocurrency wallets and login passwords to get around international restrictions,” Honey told us.  

But what we’re seeing is a move away from simple phishing to incredibly complex software supply chain attacks, he added. 

“Adversaries are getting smarter, using sophisticated anti-forensic techniques, and taking over legitimate maintainer accounts on package registries (such as NPM and Go) to look for long-term, deep footholds in corporate environments for more than just a quick buck,” said Honey.

Open-source modified resource, loader, malware payload: The architectural cyberattack design

According to Socket, the malware or malicious code in modified resources in this new PolinRider campaign typically functions as an obfuscated JavaScript loader. 

In some cases, the loader reaches out to blockchain and public RPC infrastructure, including TRON, Aptos, and BNB Smart Chain services, retrieves encrypted second-stage payload material, decrypts it with embedded XOR keys, and executes the result with eval(). 

Malware payloads observed in this campaign include DEV#POPPER and OmniStealer, a piece of macOS malware used before by North Korean threat actors, according to eSentire. 

This malware establishes a backdoor and a C2 communication channel and executes credential theft, browser-data theft, and wallet exfiltration. However, using the same loader concept architecture, the malware can vary as the campaign evolves. 

The trend to go after Mac developers goes well beyond North Korean threat actors

Threats that target developers’ resources are not just coming from North Korean threat actors. There are plenty of other bad actors. For example, AMOS stealer operators have used GitHub profiles to pose as 1Password and other apps.

In contrast, cybercriminal organizations like the Stargazers Ghost Network, a malware distribution-as-a-service (DaaS) group active since at least 2022 and believed to have over 3,000 active accounts on GitHub and other platforms, also target Mac developers.

This group reportedly uses GitHub accounts to distribute malware like Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine malware.

Going even further, some Mac developer threat campaigns have never even been attributed to any threat actor. For example, GhostClaw, which in March of this year hijacked macOS through developer npm packages, impersonating the viral OpenClaw AI platform reported to be used by millions to create AI agents.  

Screenshot of a developer's profile on GitHub linked by Socket to the new North Korean campaign.
Profile of a developer on GitHub linked by Socket to the new North Korean campaign. Image: Screenshot, Moonlock.

What can Mac developers do to stay safe?

So, what can Mac developers do about all this activity in the current Mac developer threat landscape? There’s no need to reinvent the wheel. The answer is DevSecOps.

What is DevSecOps?

DevSecOps, short for Developer Security Operations, is a term that emerged several years ago but still has had trouble catching on as the standard for all developers.

In contrast to DevOps, in DevSecOps, security and privacy are embedded into software development pipelines and workflows from the very start, including production and even updates.

DevSecOps, often shrugged off by many companies or developers because it does not prioritize speed or time-to-market, thinks of security and privacy as a fundamental pillar, not as an afterthought. 

A Mac DevSecOps framework to help you build better and safer apps, software, and code

Honey from GitHub broke down for us a simple but highly effective 5-step framework for Mac DevSecOps, as follows:

1. Identity and endpoint hardening: Utilize MDM/EDR tools to protect the local Mac environment. Mandate the use of phishing-resistant hardware keys (e.g., YubiKeys) for all registry and repository access. This will cost the maintainers, but safety should not be compromised.

2. Proactive dependency vetting: Employ Software Composition Analysis (SCA) to identify obfuscated code or unexpected maintainer changes prior to including packages in the local environment.

3. Commit integrity enforcement: Enforce 2-person peer reviews and require cryptographic signing of commits to authenticate developer identities to prevent backdoor injections.

4. Secure the CI/CD pipeline: Don’t hardcode API tokens and private keys. Opt for ephemeral (short-lived) build runners and deploy secrets scanning.

5. Create and track SBOMs: Maintain an automatic Software Bill of Materials (SBOM) for each build and constantly check for background scripts attempting to access the Mac Keychain at runtime.

Besides building DevSecOps, there are other things Mac users can do to build stronger cybersecurity. 

Get the Moonlock App. It will flag malware and suspicious activity on your Mac.

The Moonlock security app was developed to offer you added layers of security. The app’s Malware Scanner and Real-Time Protection—which checks everything you interact with, including Terminal commands—will keep your Mac clean from malware. Meanwhile, the app’s System Protection tool will scan your Mac’s security settings and guide you on how to turn your settings up to the highest, safest level.

Screenshot of the the Moonlock app user interface.
The Moonlock app. Image: Screenshot, Moonlock.

Additionally, besides shipping with a built-in VPN, the app comes with a Scam Detector, which you can use to check emails and messages for scams and phishing. 

You can check out and test-drive Moonlock for free for 7 days.

Final thoughts

According to the advice in this report, shared by a GitHub expert, a Mac DevSecOps framework will help you build better and safer software, apps, and code. Using DevSecOps frameworks, along with understanding the new threats out in the wild, represents a robust response to the current threat landscape that Mac developers face.

Overall, you can learn more about how your tech works and keep up with cybersecurity and privacy news to live a calmer and safer digital experience. 

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc.

MoonLock Banner
Ray Fernandez

Ray Fernandez

Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.