**North Korean Threat Actors Weaponize npm with Rollup Polyfill Impersonation Campaign**
A new wave of supply chain attacks has been uncovered, with threat actors linked to North Korea leveraging malicious npm packages disguised as Rollup polyfill tools. According to a technical analysis by JFrog, the campaign utilizes lookalike packages designed to steal credentials and facilitate remote access.
The primary malicious packages identified are **”rollup-packages-polyfill-core”** and **”rollup-runtime-polyfill-core.”** These packages meticulously mimic the legitimate **”rollup-plugin-polyfill-node”** project, copying not only the description and repository metadata but also the overall package structure. This high degree of similarity is intended to evade detection during routine dependency reviews, as the packages occupy the same “rollup, polyfill, core, and node naming space.”
The attack strategy is multi-staged and sophisticated. Upon installation, the initial package downloads a second-stage payload. Specifically, “rollup-packages-polyfill-core” installs **”swift-parse-stream,”** while “rollup-runtime-polyfill-core” installs **”quirky-token.”** These second-stage packages are themselves disguised as SVG sanitization utilities. Their true function is to contact a JSON Keeper URL, retrieve a JavaScript model, and execute it via `eval`.
This layered technique, combining lookalike names, legitimate-seeming metadata, hidden execution at install time, environment checks, and credential theft, is consistent with previous operations attributed to the North Korean Lazarus group.
**Evasion and Execution**
The attackers have implemented significant measures to prevent analysis. The JavaScript malware performs checks to avoid executing in cloud development environments, sandboxes, serverless runtimes, and automated analysis tools. If the environment is deemed safe, the malware proceeds to install dependencies and contacts a command-and-control server at **216.126.236.244**.
The decrypted payload acts as a loader for further scripts, granting the attacker interactive terminal access, command execution capabilities, and tools for screenshot capture, process termination, and simulating mouse and keyboard activity (including Windows-specific input). The payload also focuses on data theft, targeting web browser credentials, cryptocurrency wallets, and specific developer files.
**Targeting Developer Environments**
The scope of the attack extends beyond simple execution. The malware actively hunts for sensitive files related to developer workflows, including configurations for Microsoft Visual Studio Code, Windsurf, and Cursor, as well as credentials and configurations for AWS, Microsoft Azure, Google Gemini, Anthropic Claude, SSH, and Z shell (Zsh).
This operation highlights the critical security risk posed by the widespread use of Rollup plugins in development pipelines. As JFrobster’s researchers note, these plugins are often loaded in environments with high levels of access, including source code repositories, npm tokens, cloud API keys, and SSH keys, making them prime targets for espionage and theft.
**Broader Context of Supply Chain Attacks**
This is not an isolated incident. The discovery coincides with a surge in software supply chain attacks targeting open-source repositories. Other recent campaigns have involved trojanized Python libraries on PyPI, npm packages mimicking Polymarket and mathematical libraries, and credential harvesters published under the @marketfront scope. These attacks frequently share the same goal: to steal API keys, cloud credentials, wallet material, and other sensitive data from developer workstations and build machines.
**Recommendations for Users**
Users who have installed any of the identified malicious packages are strongly advised to:
1. Immediately remove the packages from their workstations.
2. Assume system compromise and rotate all credentials.
3. Block the identified malicious egress channels.
4. Implement robust dependency scanning within CI/CD pipelines to detect and flag newly published or suspicious packages.
—
**Original Article Source:**
JFrog. “Lookalike Rollup Polyfill Packages Found Downloading and Executing North Korean Malware.” *JFrog Blog*. https://jfrog.com/blog/ntvos-lookalike-rollup-polyfill-npm-packages/



