I was one of ~1,047 GitHub owners hit by the PolinRider DPRK supply-chain attack documented at OpenSourceMalware/PolinRider. An obfuscated JS payload was silently appended to config files in four of my repos by a malicious npm package or VS Code extension — I didn't commit it and had no idea it was there.

Affected repos (now cleaned and pushed):

• finom/vovk-hello-world — Vovk.ts demo (postcss.config.mjs)
• finom/realtime-kanban — Vovk.ts demo (postcss.config.mjs)
• finom/blok — personal project, made it private (postcss.config.mjs)
• finom/opensource.gubanov.eu — my portfolio site (webpack.config.js)

A near-miss was also caught in review on finom/prisma-zod-generator.

Please run the OSM scanner (polinrider-scanner.sh) and follow the mitigation steps — audit your config files, delete any temp_auto_push.bat, and rotate build-environment secrets.

Everything on my side is fixed. Apologies to anyone exposed through my repos, and thanks for your patience — stupid situation, but handled.

— Andrey

My name is Andrey Gubanov. I live in the open-source universe since 2011. Most of my projects can be found on opensource.gubanov.eu. Feel free to follow my Github profile and star my repos!