Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft.
According to JFrog, the packages “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core” mimic the legitimate “rollup-plugin-polyfill-node” project, down to the description, repository metadata, and package shape.
“The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review,” JFrog said in a technical write-up of the campaign.
The campaign also involves four other packages, all of which have since been removed from the npm registry –
- quirky-token
- react-icon-svgs
- rollup-plugin-polyfill-connect
- swift-parse-stream
What’s noteworthy here is that “rollup-packages-polyfill-core” installs and loads “swift-parse-stream,” while “rollup-runtime-polyfill-core” installs and “quirky-token.” In a similar fashion, “react-icon-svgs” has been found to install “rollup-plugin-polyfill-connect” as a second stage.
“The second-stage packages are near-identical SVG utilities that fetch a JSON object from JSONKeeper and eval the model field,” the cybersecurity company said. “This layered structure, together with the lookalike names, legitimate-looking metadata, hidden install-time execution, environment checks, and credential-theft/remote-access payloads, is similar to previous North Korean Lazarus-linked npm campaigns.”
It’s worth emphasizing here that this is not the first time North Korean threat actors have uploaded npm packages impersonating Rollup polyfill tools. In April 2026, Panther detailed a sustained npm campaign that involved publishing 108 malicious npm packages spanning 261 versions to deliver BeaverTail and OtterCookie, two known malware families linked to Contagious Interview. Among those packages was “rollup-plugin-polyfill-route,” which was published on March 20, 2026.
The starting point of the attack is a Base64-encoded npm install command for “swift-parse-stream” (or “quirky-token”) that’s concealed within “rollup-packages-polyfill-core” (or “rollup-runtime-polyfill-core”). The two second-stage packages are dressed up as SVG sanitization utilities, while reaching out to a JSON Keeper URL to retrieve and execute a JavaScript malware.
The JavaScript code runs checks to avoid execution within cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure. Past this gate, the malware installs the necessary dependencies and reaches out to an external server (“216.126.236[.]244”) to fetch an encrypted JavaScript payload.
The decrypted payload then acts as a loader for additional scripts responsible for enabling remote access to the compromised host to support interactive terminal sessions, command execution, screenshot capture, process termination, Windows-only mouse movement, clicks, scrolling, keyboard presses, and hotkeys using the “@nut-tree-fork/nut-js” package, as well as steal data from web browsers and cryptocurrency wallets, collect files matching specific extensions, and periodically capture clipboard content.
The features overlap with those of OtterCookie, with the use of “@nut-tree-fork/nut-js” for remote mouse and keyboard control also observed in a package named “express-session-js” that was detailed by SafeDep in April 2026. The file collector component has been found to specifically look for editor history associated with Microsoft Visual Studio Code, Windsurf, and Cursor, along with developer and AI tool configurations, such as AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, SSH, and Z shell (Zsh).
“Rollup plugins are commonly loaded from local configuration files, developer workstations, and CI jobs,” JFrog said. “These environments often have access to sensitive assets such as source code, npm tokens, Git credentials, cloud keys, SSH keys, browser data, and project secrets.”
“The payload is also broader than a simple downloader. Once the later stages run, the attacker gains both collection and control capabilities. This makes the payload relevant to developer workstations and build machines, where API keys, SSH keys, wallet material, cloud credentials, and project secrets are often present.”
The disclosure coincides with the discovery of multiple software supply chain attacks by Checkmarx, SafeDep, and AWS security researcher Chi Tran aimed at poisoning open-source package repositories and stealing valuable data –
- A cluster of at least eight trojanized “pyrogram” forks published by a threat actor operating under multiple identities between November 2025 and June 2026, including a hidden backdoor that grants them full remote control over any server running the infected PyPI package by running arbitrary Python code or shell commands sent by the attacker. The results of the command execution are exfiltrated via Telegram. The activity has been codenamed Operation Navy Ghost by Checkmarx.
- A cluster of 30 npm packages mimicking Polymarket tooling and general mathematics libraries published by 10 npm maintainer accounts that targeted DeFi developers to deliver a JavaScript infostealer that reads crypto wallet vaults, browser credentials, SSH keys, AWS credentials, npm tokens, Docker configurations, shell history, and password manager databases.
- A cluster of 25 npm packages published under the @marketfront scope by an npm account named “marketfront” that contains a postinstall credential harvester that reads 20 credential and secret files, including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, and shell history, and exfiltrates the data.
- A Python package named “security-alerts-sdk” that claims to be a data breach-monitoring tool but harbors code to launch a backdoor that periodically polls an external server (“142.93.211[.]30:5000”) for commands and exfiltrates SSH private keys, AWS credentials, Docker/npm/PyPI/git tokens, .env files, and browser credential databases to the same server.
- A cluster of 15 npm packages published by a single threat actor operating under 13 npm scopes that triggers a postinstall JavaScript payload responsible for downloading and executing a Rust-compiled ELF binary hosted on GitHub, which then harvests a wide range of data from cryptocurrency wallets, web browsers, and other applications, including cloud provider tokens, SSH keys, messaging platform sessions, database client configurations, and developer credentials.
- An npm package named “events-runtime” that typosquats the “events” package and conditionally spawns a cryptocurrency wallet stealer, exfiltrates host reconnaissance data over Slack and Telegram, opens a bidirectional Slack command channel, and reads configuration and payload chunks from an Ethereum smart contract used as a dead drop resolver. The malicious logic is fired only when the event ID is “eventId0.”
- An npm package named “o3forms” that steals cloud service provider credentials, scans developer secrets and CI/CD environments, performs internal network reconnaissance, and exfiltrates the data to an attacker-controlled Cloudflare Workers endpoint. “The attacker split the attack into a deliberately benign, registry-published package and a GitHub-pinned *-utils sub-dependency that carries both the install hooks and the actual malware,” Tran said. “This structure is designed specifically to defeat the static and lifecycle-script scanning that most registry-side and CI-side tooling relies on.”
Users who have installed any of the aforementioned packages are advised to remove them from their workstations, assume compromise and rotate credentials, block the malicious egress channels, and enable dependency scanning in CI/CD pipelines to flag newly published or suspicious packages.

























