I was one of ~1,047 GitHub owners hit by the PolinRider DPRK supply-chain attack documented at OpenSourceMalware/PolinRider. An obfuscated JS payload was silently appended to config files in four of my repos by a malicious npm package or VS Code extension — I didn't commit it and had no idea it was there.

Affected repos (now cleaned and pushed):

• finom/vovk-hello-world — Vovk.ts demo (postcss.config.mjs)
• finom/realtime-kanban — Vovk.ts demo (postcss.config.mjs)
• finom/blok — personal project, made it private (postcss.config.mjs)
• finom/opensource.gubanov.eu — my portfolio site (webpack.config.js)

A near-miss was also caught in review on finom/prisma-zod-generator.

Install the polinrider-scan skill (see install command below) and ask Claude to "scan for PolinRider globally". The skill walks the local file system using only standard utilities — no external downloads, no remote scripts — and reports any residue. Then follow the OSM project's mitigation guidance: audit your build config files, remove temp_auto_push.bat / config.bat and any .gitignore entries that hid them, and rotate any build-environment secrets the machine had access to.

Everything on my side is fixed. Apologies to anyone exposed through my repos, and thanks for your patience — stupid situation, but handled.

— Andrey

My name is Andrey Gubanov. I live in the open-source universe since 2011. Most of my projects can be found on opensource.gubanov.eu. Feel free to follow my Github profile and star my repos!

• polinrider-scan — scan for PolinRider supply-chain malware

Install via npx skills:

# project-local
npx skills add finom/finom --skill polinrider-scan

# global
npx skills add finom/finom --skill polinrider-scan -g