Skip to content

164news.com

  • Home
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms of Service
  • Cookie Policy

North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets

Posted on July 3, 2026 By 164news66 No Comments on North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets

North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets

JFrog identified six packages using layered delivery chains to harvest credentials for AWS, Azure, Claude, Gemini, and cryptocurrency wallets from developer workstations

July 3, 2026 – 4:55 pm

(Image by: Canva)

TL;DR

Six malicious npm packages mimicking Rollup polyfill tools stole developer credentials and enabled remote access in a campaign linked to North Korean threat actors.

Security researchers at JFrog have uncovered a set of malicious npm packages that impersonate legitimate Rollup polyfill tooling to steal developer credentials and gain remote access to compromised machines. The packages, named “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core”, closely resemble the genuine “rollup-plugin-polyfill-node” project in terms of:

  • Description
  • Repository metadata
  • Package structure

All six packages have since been removed from the npm registry.

The attack utilizes a layered delivery chain designed to evade detection. This involves:

  1. First-stage packages installing hidden second-stage dependencies disguised as SVG utilities.
  2. These utilities then fetch a JSON object from a remote hosting service and execute its embedded payload.

JFrog notes that this structure, coupled with lookalike names, realistic metadata, and environment checks designed to avoid sandboxes and cloud development platforms, aligns with previous Lazarus-linked npm campaigns.

Once executed, the malware grants attackers both collection and control capabilities over the infected machine. It steals data from web browsers and cryptocurrency wallets, captures clipboard content periodically, harvests specific file types, targets developer tool configurations for VS Code, Windsurf, and Cursor, and exfiltrates credentials for AWS, Microsoft Azure, Google Gemini, Anthropic Claude, and SSH keys.

This campaign is not an isolated incident. In April, researchers at Panther documented a sustained Lazarus npm operation involving 108 malicious packages across 261 versions designed to deliver BeaverTail and OtterCookie—two known North Korean malware families associated with the Contagious Interview campaign. These latest packages share features with OtterCookie, including:

  • Use of a forked keyboard and mouse control library for interactive remote terminal sessions, screenshot capture, and simulated user input on compromised Windows machines.

The recent disclosures highlight a broader trend of supply chain attacks targeting open-source package repositories. Separate reports from Checkmarx, SafeDep, and AWS researcher Chi Tran identify clusters of malicious packages across npm and PyPI that steal cloud credentials, cryptocurrency wallets, SSH keys, and developer secrets. Rollup plugins are frequently loaded from developer workstations and CI build pipelines—environments that have proven increasingly vulnerable to supply chain compromises, often holding access to sensitive assets including source code, API keys, and project secrets.

Clock

Post navigation

Previous Post: The Chevy Silverado EV is one of the best electric trucks ever built, so why is nobody buying it
Next Post: Tesla launches the six-seat Model Y Long Wheelbase in the US at 61,990 dollars

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Editor's Picks

  • New York Bankruptcy Expert
  • NYC Employment Law Firm
  • Long Island Business Litigation Lawyer
  • Bronx DWI Defense Attorney
  • Brooklyn Small Business Legal Advice
  • New York Personal Injury Attorney
  • NYC Construction Law Specialist
  • NY Criminal Defense Lawyer
  • Manhattan Family Law Specialist
  • Queens Immigration Lawyer

Recent Posts

  • Tesla launches the six-seat Model Y Long Wheelbase in the US at 61,990 dollars
  • North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets
  • The Chevy Silverado EV is one of the best electric trucks ever built, so why is nobody buying it
  • Investors sue Oracle, say it hid how shaky the OpenAI deal was
  • Europe is coming for loot boxes, and the games industry is bracing

Recent Comments

  1. fk777 casino on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation
  2. 5577betapp on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation
  3. 144bet1 on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation
  4. 144bet1 on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation
  5. 144bet1 on Spiro takes $55M from China’s NewTrails as it nears a $1bn valuation

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026

Editor's Picks

  • New York Bankruptcy Expert
  • NYC Employment Law Firm
  • Long Island Business Litigation Lawyer
  • Bronx DWI Defense Attorney
  • Brooklyn Small Business Legal Advice
  • New York Personal Injury Attorney
  • NYC Construction Law Specialist
  • NY Criminal Defense Lawyer
  • Manhattan Family Law Specialist
  • Queens Immigration Lawyer

Copyright © 2026 164news.com.

Powered by PressBook Dark WordPress theme