Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets
North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets
NEWS

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...

Dylan H.

News Desk

July 4, 2026
4 min read

What Happened

Security researchers at JFrog have uncovered a new npm supply chain campaign attributed to North Korea's Lazarus Group. A cluster of malicious packages impersonating legitimate Rollup JavaScript bundler polyfill tooling were published to the npm registry, targeting developer workstations to steal credentials and deploy a persistent remote access implant.

Malicious Packages Identified

PackageRole
rollup-packages-polyfill-corePrimary — delivers stage-2 payload
rollup-runtime-polyfill-corePrimary — delivers stage-2 payload
quirky-tokenSecondary
react-icon-svgsSecondary
rollup-plugin-polyfill-connectSecondary
swift-parse-streamSecondary

All packages have been removed from the npm registry. The campaign follows a prior April 2026 campaign attributed to the same threat actor cluster, which involved 108 malicious packages across 261 versions.


How the Attack Works

Stage 1: Environment Fingerprinting

Once a malicious package is installed, it executes an environment check before doing anything visible. If it detects a cloud infrastructure environment, analysis sandbox, or serverless runtime, it aborts silently. This evasion technique prevents the payload from firing in automated scanning environments.

Stage 2: Living-Off-the-Land Payload Delivery

If the environment check passes — indicating a real developer workstation — the package:

  1. Fetches a JSON object from JSONKeeper (a public JSON storage service), avoiding static detection by not embedding the payload directly in the npm package
  2. Executes the model field of the fetched JSON as code — a technique that allows the attackers to update the payload without publishing new packages
  3. Fetches an encrypted secondary payload from the hardcoded C2 IP: 216.126.236[.]244

Stage 3: Remote Access Implant Deployment

The final-stage implant uses the @nut-tree-fork/nut-js library to gain interactive desktop control — mouse movements, keyboard input, and screen observation — giving Lazarus operators full access to the compromised developer's workstation.


What Gets Stolen

The malware targets the developer toolchain with surgical precision:

Developer Environment

  • VS Code session history and workspace data
  • Cursor AI editor history
  • Windsurf IDE history
  • Zsh / Bash shell history files (often contain API keys and commands)

Cloud Credentials

  • AWS credentials (~/.aws/credentials, environment variables)
  • Azure CLI tokens and service principal credentials
  • GCP application default credentials

AI Service Keys

  • Anthropic Claude API keys
  • Google Gemini API keys
  • Other AI service API keys stored in config files or environment

Other High-Value Data

  • SSH private keys (~/.ssh/)
  • Cryptocurrency wallet files
  • Clipboard contents (monitored continuously)
  • Browser saved passwords and session tokens

Attribution

JFrog and Checkmarx attribute this campaign to Lazarus Group, a North Korean state-sponsored threat actor (also tracked as UNC4899, Jade Sleet, and TraderTraitor by various vendors).

The targeting profile is consistent with Lazarus Group's established playbook:

  • Cryptocurrency theft via developer machine compromise and wallet access
  • Intelligence collection from cloud and AI environments
  • Persistent access via remote desktop implants for long-term operations

The April 2026 predecessor campaign (108 packages, 261 versions) used similar infrastructure and techniques, confirming this is an active, iterative operation — not a one-off.


Indicators of Compromise

Network IOC

IOCTypeDescription
216.126.236[.]244IP AddressStage-2 payload C2 server
jsonkeeper.comDomainStage-1 payload hosting (legitimate service abused)

Package Names to Search For

# Check your package.json and lock files
grep -r "rollup-packages-polyfill-core\|rollup-runtime-polyfill-core\|quirky-token\|react-icon-svgs\|rollup-plugin-polyfill-connect\|swift-parse-stream" .
 
# Check global npm installs
npm list -g 2>/dev/null | grep -E "rollup-.*polyfill|quirky-token|swift-parse"

Defensive Recommendations

Immediate Actions

  1. Audit dependencies — Search all package.json and lock files for the named packages
  2. Block the C2 IP — Add 216.126.236[.]244 to firewall deny lists
  3. Rotate potentially exposed credentials — If any of the malicious packages were installed, treat all stored credentials as compromised
  4. Enable npm provenance attestation — Verified provenance makes supply chain attacks significantly harder

Ongoing Hardening

# Enable npm audit in CI/CD
npm audit --audit-level=high
 
# Use lockfiles to prevent unexpected package resolution
npm ci  # instead of npm install in CI
 
# Enable corepack for consistent package manager versions
corepack enable

For Organizations Using Rollup

Be especially cautious of any npm package with "rollup", "polyfill", or "runtime" in its name that you did not intentionally install. Verify the package maintainers match the official Rollup organization (rollup on npm).

# Verify official Rollup packages
npm view rollup maintainers
npm view @rollup/plugin-commonjs maintainers

Sources

  • The Hacker News — North Korea-Linked npm Packages
  • JFrog Security Research
  • Checkmarx Supply Chain Research

Related Reading

  • UNC6426 NX npm Supply Chain Attack — AWS Admin Breach
  • CanisterWorm Blockchain C2 Self-Spreading npm Worm
  • GlassWorm Supply Chain Attack Abuses VSX Extensions
#North Korea#The Hacker News#Threat Intelligence#npm#Supply Chain#Lazarus Group#Malware

Related Articles

North Korean Hackers Publish 108 Malicious Packages in PolinRider Campaign

Threat actors linked to North Korea's Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist,...

4 min read

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers discovered 36 malicious npm packages disguised as Strapi CMS plugins that abused Redis and PostgreSQL connections to harvest...

5 min read

UNC1069 Social Engineering of Axios Maintainer Led to npm

The North Korean threat actor UNC1069 used a sophisticated, targeted social engineering campaign against the Axios npm package maintainer Jason Saayman to...

4 min read
Back to all News