v vanemmerik.ai / SUPPLY-CHAIN
Supply Chain ยท Watch Saturday ยท 04 July 2026 End-of-day synthesis 4 watches ยท 1 items

From the watchtower โ€” what crossed the wire today.

A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild โ€” then ranks them by severity for the day.

The story of the day โ€” The DPRK-linked PolinRider campaign is now up to 108 malicious packages and browser extensions across four ecosystems, and it's the only story of the day โ€” KEV, GHSA, and the rest of the RSS feeds stayed quiet.

A genuinely quiet second half of the day: no new CISA KEV entries, no fresh GHSA advisories in the last several hours, and nothing new out of Socket, Phylum, BleepingComputer, or Aikido. The one story on the board is the one that was already here at Forenoon Watch, and it kept growing rather than resolving.

The Contagious Interview-linked PolinRider campaign โ€” the same DPRK operators behind yesterday's rollup-plugin-polyfill-node typosquat โ€” has now published 108 malicious packages and browser extensions spanning npm, Packagist, Go modules, and the Chrome Web Store, up from the four-ecosystem toolkit first flagged three days ago. That's two straight days of North Korea-linked package-registry activity, and The Hacker News's sourcing says new packages are still landing daily, which means today's count of 108 is a floor, not a final tally.

โ†’ Operational priority for the night re-run Socket's published PolinRider IOC list against every dependency tree and installed Chrome extension in the fleet now, and repeat the scan tomorrow morning โ€” this campaign is still actively republishing, not winding down.

12:00 ET ยท Forenoon Watch

North Korean hackers publish 108 malicious packages and extensions in expanding PolinRider campaign

The Contagious Interview-linked PolinRider campaign has now published 108 malicious packages and browser extensions across npm, Packagist, Go modules, and Chrome, per The Hacker News โ€” up sharply from the four-ecosystem toolkit Socket first flagged three days ago. The scale confirms an industrialized, ongoing operation rather than a one-off drop: DPRK operators are compromising maintainer accounts and republishing faster than manual takedown keeps up. Re-run Socket's published IOC list against dependency trees and installed Chrome extensions now โ€” new packages are still landing daily.