Security: Repository contains malicious public/fonts/fa-solid-400.woff2 (PolinRider campaign)

[bigtomgleeson]

Security Disclosure: This repository has been compromised

The repository styled-components/vue-styled-components has been compromised by the PolinRider campaign — a DPRK-linked supply chain operation that has infected 670+ repositories across 347+ users to date.

This is not spam. This disclosure is from the OpenSourceMalware.com research team.

Compromised file

public/fonts/fa-solid-400.woff2 — a malicious binary payload disguised as a Font Awesome web font asset. The file does not contain a legitimate WOFF2 font; it is a binary blob staged in the public/fonts/ directory where it would be served to any site loading this repository's assets.

This is consistent with the PolinRider operator's known practice of staging payloads in unexpected locations (configs, batch files, and now binary asset directories) to evade reviewer attention.

What the malicious file does

PolinRider is a multi-stage DPRK loader that ultimately drops infostealer and credential-harvesting payloads. Known capabilities across the campaign include:

• Browser credential and cookie theft
• Cryptocurrency wallet exfiltration (TRON C2 addresses observed: TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP, TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG)
• Silent git history rewriting via temp_auto_push.bat to amend and force-push infected commits
• Propagation through postcss.config.mjs, tailwind.config.js, eslint.config.mjs, next.config.mjs, and babel.config.js injection

Immediate remediation steps

1. Delete public/fonts/fa-solid-400.woff2 from this repository (and replace with a clean copy from the official Font Awesome distribution if needed)
2. Audit git history for when the file was introduced and by whom — git log --all --full-history -- public/fonts/fa-solid-400.woff2
3. Force-push to remove the malicious blob from history, then run git gc --prune=now on mirrors
4. Rotate ALL credentials for any maintainer account with push access: GitHub password, Personal Access Tokens, SSH keys, npm tokens
5. Enable 2FA / passkeys on every account with push access
6. Scan maintainer machines for PolinRider IOCs:
   • Files: temp_auto_push.bat, config.bat
   • Strings in config files: rmcej%otb%, _$_1e42, global['!']='8-270-2'
   • .gitignore entries hiding config.bat
7. Audit other repositories owned by the same maintainer(s) — PolinRider infects every local clone on a compromised machine

A free local scanner is available: https://opensourcemalware.com

Full technical analysis: https://opensourcemalware.com

---

Disclosed by the OpenSourceMalware.com research team.

[6mile]

Hi maintainer team. Please use me as a contact for this security advisory. My contact details are public on my GitHub and you can find me in other platforms.

[liqueflies]

Hello, I reverted the commit to the last one.

That's weird, i've 2fa already enabled, changed the password and changed also SSH key.

I didn't had the project on my machine, cause it's long time i do not actively maintain.

No npm package was published.

[6mile]

Hello, I reverted the commit to the last one.

That's weird, i've 2fa already enabled, changed the password and changed also SSH key.

I didn't had the project on my machine, cause it's long time i do not actively maintain.

No npm package was published.

This isn't a GitHub issue; this is a "your computer is compromised " issue. The malicious code got in there via a force-push git commit on your machine.
Please use this GitHub repo for more details: https://github.com/OpenSourceMalware/PolinRider