finom - Overview
⚠️ Security notice — PolinRider supply-chain compromise (resolved)
I was one of ~1,047 GitHub owners hit by the PolinRider DPRK supply-chain attack documented at OpenSourceMalware/PolinRider. An obfuscated JS payload was silently appended to config files in four of my repos by a malicious npm package or VS Code extension — I didn't commit it and had no idea it was there.
Affected repos (now cleaned and pushed):
- finom/vovk-hello-world — Vovk.ts demo (
postcss.config.mjs) - finom/realtime-kanban — Vovk.ts demo (
postcss.config.mjs) - finom/blok — personal project, made it private (
postcss.config.mjs) - finom/opensource.gubanov.eu — my portfolio site (
webpack.config.js)
A near-miss was also caught in review on finom/prisma-zod-generator.
If you cloned or npm installed from any of these before the cleanup
Install the polinrider-scan skill (see install command below) and ask Claude to "scan for PolinRider globally". The skill walks the local file system using only standard utilities — no external downloads, no remote scripts — and reports any residue. Then follow the OSM project's mitigation guidance: audit your build config files, remove temp_auto_push.bat / config.bat and any .gitignore entries that hid them, and rotate any build-environment secrets the machine had access to.
Everything on my side is fixed. Apologies to anyone exposed through my repos, and thanks for your patience — stupid situation, but handled.
— Andrey
Hi there 👋
My name is Andrey Gubanov. I live in the open-source universe since 2011. Most of my projects can be found on opensource.gubanov.eu. Feel free to follow my Github profile and star my repos!
Claude Code skills
- polinrider-scan — scan for PolinRider supply-chain malware
Install via npx skills:
# project-local npx skills add finom/finom --skill polinrider-scan # global npx skills add finom/finom --skill polinrider-scan -g