MEDIUMSupply Chain
Global

Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT

·Source: Sonatype (Maven/npm)

Updated:

Executive Summary

<img src="https://www.sonatype.com/hubfs/blog_npm_hijack2.jpg" alt="Image with large text at center "npm package hijack" and the Sonatype company name above it." class="hs-featured-image" style="width:auto !important

Analysis

Attackers do not need to wait fo r a CVE whe n they can publish directly into the build.

Indicators of Compromise (4)

URL (3)
https://www.sonatype.com/blog/hijacked-npm-package-attempts-to-deliver-polinrider-linked-rat
VirusTotalURLhaus
https://www.sonatype.com/hubfs/blog_npm_hijack2.jpg
VirusTotalURLhaus
https://www.sonatype.com/security-advisories
VirusTotalURLhaus
Domain (1)
www.sonatype.com
VirusTotalURLhaus
Source Attribution

Originally published by Sonatype (Maven/npm) on May 21, 2026.

Related Threats

HIGHSupply Chain

Infected Red Hat npm packages expose developer credentials

Developers who pulled packages from Red Hat’s @redhat-cloud-services npm namespace over the weekend got a secret-stealing worm instead. Security researchers from several cybersecurity outlets are warning of a new supply chain attack compromising over 30 Red Hat Cloud Services-related npm packages to steal credentials, authentication tokens, and other secrets from developer environments. The campai

CSO Online
MEDIUMSupply Chain

Attackers Hijack Red Hat npm Scope to Steal Cloud Secrets

Attackers backdoored 32 packages in Red Hat's official npm scope to steal cloud and CI secrets

Infosecurity Magazine
HIGHSupply Chain

Attack targeting OpenAI Codex users exposes AI software supply chain risks

A malicious npm package posing as a remote user interface for OpenAI Codex exfiltrated developer authentication tokens, after attackers allegedly published code to npm that was not visible in the project’s public GitHub repository. Researchers at Aikido said the package, called codexui-android, appeared to offer legitimate functionality while collecting authentication tokens and sending them to an

CSO Online