{"id":285454,"date":"2026-07-03T12:07:00","date_gmt":"2026-07-03T16:07:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/03\/north-korea-linked-npm-packages-mimic-rollup-polyfills-to-steal-developer-secrets\/"},"modified":"2026-07-03T17:45:09","modified_gmt":"2026-07-03T21:45:09","slug":"north-korea-linked-npm-packages-mimic-rollup-polyfills-to-steal-developer-secrets","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/03\/north-korea-linked-npm-packages-mimic-rollup-polyfills-to-steal-developer-secrets\/","title":{"rendered":"North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/north-korea-linked-npm-packages-mimic.html\">North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/north-korea-linked-npm-packages-mimic.html\">https:\/\/thehackernews.com\/2026\/07\/north-korea-linked-npm-packages-mimic.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-03 12:07:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft.<\/p>\n<p>According to JFrog, the packages &#8220;rollup-packages-polyfill-core&#8221; and &#8220;rollup-runtime-polyfill-core&#8221; mimic the legitimate &#8220;rollup-plugin-polyfill-node&#8221; project, down to the description, repository metadata, and package shape.<\/p>\n<p>&#8220;The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review,&#8221; JFrog said in a technical write-up of the campaign.<\/p>\n<p>The campaign also involves four other packages, all of which have since been removed from the npm registry &#8211;<\/p>\n<ul>\n<li>quirky-token<\/li>\n<li>react-icon-svgs<\/li>\n<li>rollup-plugin-polyfill-connect<\/li>\n<li>swift-parse-stream<\/li>\n<\/ul>\n<p>What&#8217;s noteworthy here is that &#8220;rollup-packages-polyfill-core&#8221; installs and loads &#8220;swift-parse-stream,&#8221; while &#8220;rollup-runtime-polyfill-core&#8221; installs and &#8220;quirky-token.&#8221; In a similar fashion, &#8220;react-icon-svgs&#8221; has been found to install &#8220;rollup-plugin-polyfill-connect&#8221; as a second stage.<\/p>\n<p>&#8220;The second-stage packages are near-identical SVG utilities that fetch a JSON object from JSONKeeper and eval the model field,&#8221; the cybersecurity company said. &#8220;This layered structure, together with the lookalike names, legitimate-looking metadata, hidden install-time execution, environment checks, and credential-theft\/remote-access payloads, is similar to previous North Korean Lazarus-linked npm campaigns.&#8221;<\/p>\n<p>It&#8217;s worth emphasizing here that this is not the first time North Korean threat actors have uploaded npm packages impersonating Rollup polyfill tools. In April 2026, Panther detailed a sustained npm campaign that involved publishing 108 malicious npm packages spanning 261 versions to deliver BeaverTail and OtterCookie, two known malware families linked to Contagious Interview. Among those packages was &#8220;rollup-plugin-polyfill-route,&#8221; which was published on March 20,&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/north-korea-linked-npm-packages-mimic.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets https:\/\/thehackernews.com\/2026\/07\/north-korea-linked-npm-packages-mimic.html Publish Date: 2026-07-03&#8230;<\/p>\n","protected":false},"author":1,"featured_media":285455,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj4otDF6_5qt7ZmrCLMXmx7sFXfY6RGHHI0BiGRcVkTqLo-l1VokprcvB7FhK5fJdL0j8Ds95uLQxiWKt2YYFV1N9K8WIL3lfONey4wBln2Vee4YTI_9z5_t-2VT1bZ17sEomQdONnVWEB3sc9lj13AJwdhbmn6CNlfx9Lwc7UNxg2C87xKFZPz5UL4lHJE\/s1600\/npms-malware.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-285454","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/285454"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=285454"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/285454\/revisions"}],"predecessor-version":[{"id":285456,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/285454\/revisions\/285456"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/285455"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=285454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=285454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=285454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}