North Korean Hackers Deploy Sophisticated npm Malware Masquerading as Rollup Polyfill Tools
Threat actors linked to North Korea are leveraging a new wave of malicious npm packages, disguised as legitimate Rollup polyfill tooling, to facilitate remote access and exfiltrate sensitive data. This campaign highlights a continued focus on software supply chain attacks targeting developers and their environments.
A recent analysis by **JFrog** has uncovered a sophisticated campaign orchestrated by North Korean threat actors, utilizing malicious npm packages to infiltrate developer systems. The attackers are masquerading their malware as popular **Rollup** polyfill tools, aiming to steal credentials and gain remote access.
### Deceptive Tactics and Package Impersonation
The primary malicious packages identified are `rollup-packages-polyfill-core` and `rollup-runtime-polyfill-core`. These packages meticulously mimic the legitimate `rollup-plugin-polyfill-node` project, replicating its description, repository metadata, and overall package structure. This level of detail makes them appear plausible during a quick dependency review, as noted by **JFrog** in their technical write-up.
Other related malicious packages, since removed from the npm registry, include:
* `quirky-token`
* `react-icon-svgs`
* `rollup-plugin-polyfill-connect`
* `swift-parse-stream`
### Layered Infection Chain
The attack employs a layered structure. For instance, `rollup-packages-polyfill-core` installs and loads `swift-parse-stream`, while `rollup-runtime-polyfill-core` deploys `quirky-token`. Similarly, `react-icon-svgs` acts as a first stage to install `rollup-plugin-polyfill-connect`.
These second-stage packages, disguised as SVG utilities, fetch a JSON object from **JSONKeeper** and execute its `model` field. This intricate, multi-stage approach, combined with legitimate-looking metadata and hidden install-time execution, mirrors tactics observed in previous npm campaigns linked to North Korea's **Lazarus Group**.

### Evasion and Payload Execution
The initial attack vector involves a **Base64**-encoded npm install command embedded within the primary malicious packages. The subsequent JavaScript malware incorporates environment checks to evade detection in cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure. Once these checks are bypassed, the malware installs necessary dependencies and connects to an external server (`216.126.236[.]244`) to retrieve an encrypted JavaScript payload.
### Comprehensive Data Theft and Remote Control
Upon decryption, the payload acts as a loader for additional scripts that enable extensive malicious capabilities:
* **Remote Access**: Interactive terminal sessions and command execution.
* **Surveillance**: Screenshot capture, process termination.
* **Input Control**: Windows-only mouse movement, clicks, scrolling, keyboard presses, and hotkeys using the `@nut-tree-fork/nut-js` package.
* **Data Exfiltration**: Theft of data from web browsers and cryptocurrency wallets, collection of files matching specific extensions, and periodic capture of clipboard content.
These features align with those of **OtterCookie**, a known malware family. The use of `@nut-tree-fork/nut-js` for remote control was also observed in the `express-session-js` package, detailed by **SafeDep** in April 2026. The file collector component specifically targets editor history from **Microsoft Visual Studio Code**, **Windsurf**, and **Cursor**, as well as configuration files for developer and AI tools like **AWS**, **Microsoft Azure**, **Google Gemini**, **Anthropic Claude**, **Foundry**, **SSH**, and **Z shell (Zsh)**.

### Targeting Developer Workstations and CI/CD Environments
**JFrog** emphasizes that **Rollup** plugins are frequently loaded in local configuration files, developer workstations, and CI jobs. These environments are often rich with sensitive assets such as source code, npm tokens, Git credentials, cloud keys, SSH keys, browser data, and project secrets. The broad capabilities of this payload, encompassing both data collection and remote control, make it particularly dangerous for developer workstations and build machines.
### Broader Supply Chain Attack Landscape
This disclosure coincides with a surge of other software supply chain attacks targeting open-source package repositories, uncovered by **Checkmarx**, **SafeDep**, and **AWS** security researcher **Chi Tran**:
* **Operation Navy Ghost**: **Checkmarx** identified at least eight trojanized `pyrogram` forks, published between November 2025 and June 2026, containing a hidden backdoor for remote control and data exfiltration via **Telegram**.
* **DeFi Infostealer**: **SafeDep** found 30 npm packages mimicking **Polymarket** tooling and mathematics libraries, targeting **DeFi** developers to steal crypto wallet vaults, browser credentials, SSH keys, and cloud credentials.
* **Marketfront Dependency Confusion**: A cluster of 25 npm packages under the `@marketfront` scope contained a post-install credential harvester, exfiltrating 20 types of sensitive files including SSH, AWS, and Docker configurations.
* **Security Alerts SDK Backdoor**: **Chi Tran** detailed a Python package named `security-alerts-sdk`, masquerading as a data breach monitoring tool, which launched a backdoor to exfiltrate SSH private keys, AWS credentials, and various tokens.
* **Operation Friday Harvest**: **Chi Tran** also uncovered 15 npm packages by a single threat actor, deploying a **Rust**-compiled **ELF** binary to harvest data from cryptocurrency wallets, web browsers, and cloud provider tokens.
* **Events-Runtime Typosquatting**: An npm package named `events-runtime` typosquatted the legitimate `events` package, conditionally spawning a cryptocurrency wallet stealer and exfiltrating host reconnaissance data over **Slack** and **Telegram**.
* **O3forms Cloud Credential Stealer**: The `o3forms` npm package stole cloud service provider credentials, scanned developer secrets, and performed internal network reconnaissance. **Tran** highlighted a new pattern where the attack was split between a benign registry-published package and a **GitHub**-pinned sub-dependency carrying the malware.