Tech Journalism
Suspected North Korea-Linked npm Malware Disguised as Rollup Polyfills
Six malicious npm packages imitated Rollup polyfills to target credentials on developer workstations and CI systems. Here is how teams should respond.
Threat actors with suspected links to North Korea distributed malicious npm packages disguised as plugins for the Rollup build tool, according to security researchers. Their objective was credentials stored on developer workstations and build servers.
The Hacker News reported the campaign on July 3, citing a technical analysis by JFrog Security Research.
Disguised as Rollup polyfills
Rollup is a JavaScript bundler, and developers frequently load related plugins during builds.
The two entry packages were rollup-packages-polyfill-core and rollup-runtime-polyfill-core. Both were made to resemble the legitimate rollup-plugin-polyfill-node project, copying its description, repository references, and code structure.
The legitimate package records about 295,000 weekly downloads and exceeded 1.2 million downloads in the previous month. That popularity gives the project a level of trust attackers can exploit.
JFrog researcher Yair Benamou noted that the names and package layout could allow the malicious dependencies to survive a quick review. Researchers identified six packages:
rollup-packages-polyfill-corerollup-runtime-polyfill-coreswift-parse-streamquirky-tokenreact-icon-svgsrollup-plugin-polyfill-connect
The Hacker News reported that four supporting packages had been removed from npm. The removal status of the two entry packages was not separately confirmed. At the time of JFrog's analysis, four of the six remained active and only two had been replaced with security-remediation versions.
A two-stage infection chain
rollup-packages-polyfill-core installed swift-parse-stream, while rollup-runtime-polyfill-core loaded quirky-token. A separate package, react-icon-svgs, used rollup-plugin-polyfill-connect as its second stage.
The second-stage packages pretended to be SVG utilities. In reality, they contacted a JSONKeeper address and executed the value of a model field. The extra stage made the campaign harder to identify than ordinary typosquatting.
Developer workstations and CI were the targets
Rollup plugins are commonly executed from local configuration files and continuous-integration pipelines. Those environments often contain source code, npm tokens, Git credentials, cloud keys, and SSH keys.
Before running its payload, the malware inspected the environment. It attempted to avoid cloud development environments, sandboxes, serverless systems, and analysis infrastructure. If the checks passed, it downloaded an encrypted payload from 216.126.236.244. JFrog said the decrypted payload was approximately 114 KB. The address was published as an indicator of compromise.
Remote control and four collection capabilities
The decrypted code created files named pack, scdata, and ldata in a temporary directory. Its capabilities fell into four groups.
First, it provided remote control: command execution, terminal access, screenshots, and process termination. Screenshot capture and mouse or keyboard control were designed to work only on Windows.
Second, it collected browser and cryptocurrency-wallet data, including stores used by major wallet extensions such as MetaMask.
Third, it searched the file system. It examined editor histories from VS Code, Windsurf, and Cursor, as well as configuration files associated with AWS, Azure, Google Gemini, Anthropic Claude, Foundry, SSH, and Zsh.
Fourth, it monitored the clipboard and transmitted copied values whenever they changed.
Similarities to Lazarus-linked campaigns
The Hacker News said the operation resembled earlier npm campaigns associated with North Korea's Lazarus activity. In April, Panther analyzed 108 malicious npm packages and 261 releases linked to the Contagious Interview campaign. BeaverTail and OtterCookie malware also appeared in those cases.
The attribution remains an assessment based on technical similarities. The campaign structure and payload methods overlap with earlier activity, but that does not constitute definitive proof of the operator's identity.
What development teams should check
Removing the packages alone may not be enough. Teams should inspect both the project and the affected workstation.
All six packages should be removed from projects and lockfiles. Dependency trees should also be checked for indirect references to swift-parse-stream, quirky-token, or rollup-plugin-polyfill-connect.
Teams should look for the temporary files pack, scdata, and ldata. JFrog also recommended blocking traffic to 216.126.236.244 and the associated JSONKeeper addresses.
Credential rotation is necessary for potentially exposed npm, GitHub, cloud, SSH, browser, and wallet secrets. Rotation should happen only after malware artifacts and active processes have been removed, using a known-clean environment.
The incident illustrates a structural risk in the open-source supply chain: names and descriptions alone are not enough to distinguish a legitimate package from a malicious imitation.
Evidence that the same activity cluster expanded across several developer ecosystems is covered in North Korea-Linked PolinRider Campaign Expands Beyond npm to Go and Chrome.
Frequently asked questions
Was the attack definitively attributed to North Korea?
No. Researchers identified similarities between the campaign's structure and payloads and previous North Korea-linked activity. The operator has not been conclusively established.
Which malicious npm packages should teams look for?
The six packages are rollup-packages-polyfill-core, rollup-runtime-polyfill-core, swift-parse-stream, quirky-token, react-icon-svgs, and rollup-plugin-polyfill-connect. Teams should inspect both direct dependencies and transitive entries in lockfiles.
Is deleting the package enough?
Potentially not. Teams should inspect for infection artifacts and outbound communication, then rotate exposed npm, GitHub, cloud, and SSH credentials from a clean environment.
Unauthorized copying, redistribution, and automated scraping are not permitted. Please cite the original URL when referencing this article.
Related writing
Tech Journalism
North Korea-Linked PolinRider Campaign Expands Beyond npm to Go and Chrome
The North Korea-linked PolinRider campaign expanded across npm, Go, Packagist, Chrome extensions, GitHub repositories, and developer tools.
Platform
Linux Network Security Fundamentals for Cloud Operations
A Linux and networking foundation note that connects shell commands, permissions, processes, ports, firewalls, DNS, and cloud operations.
Platform
Web Application Security and Cloud Operations Guardrails
A practical review of web application attack surfaces, container boundaries, cloud storage controls, and operational security guardrails.