Supply-chain securityPolinRider keeps expanding, and the postinstall still lands on your runner
DevOps.com reports two DPRK-linked groups are expanding PolinRider, a supply-chain campaign that pushes malicious packages into developer workflows through long-running fake-interview scams. Socket and Rescana are named as the vendors doing the attribution. The pipeline lesson is old, and unfinished.