What Happened
Security researchers at JFrog have uncovered a new npm supply chain campaign attributed to North Korea's Lazarus Group. A cluster of malicious packages impersonating legitimate Rollup JavaScript bundler polyfill tooling were published to the npm registry, targeting developer workstations to steal credentials and deploy a persistent remote access implant.
Malicious Packages Identified
| Package | Role |
|---|---|
rollup-packages-polyfill-core | Primary — delivers stage-2 payload |
rollup-runtime-polyfill-core | Primary — delivers stage-2 payload |
quirky-token | Secondary |
react-icon-svgs | Secondary |
rollup-plugin-polyfill-connect | Secondary |
swift-parse-stream | Secondary |
All packages have been removed from the npm registry. The campaign follows a prior April 2026 campaign attributed to the same threat actor cluster, which involved 108 malicious packages across 261 versions.
How the Attack Works
Stage 1: Environment Fingerprinting
Once a malicious package is installed, it executes an environment check before doing anything visible. If it detects a cloud infrastructure environment, analysis sandbox, or serverless runtime, it aborts silently. This evasion technique prevents the payload from firing in automated scanning environments.
Stage 2: Living-Off-the-Land Payload Delivery
If the environment check passes — indicating a real developer workstation — the package:
- Fetches a JSON object from JSONKeeper (a public JSON storage service), avoiding static detection by not embedding the payload directly in the npm package
- Executes the
modelfield of the fetched JSON as code — a technique that allows the attackers to update the payload without publishing new packages - Fetches an encrypted secondary payload from the hardcoded C2 IP:
216.126.236[.]244
Stage 3: Remote Access Implant Deployment
The final-stage implant uses the @nut-tree-fork/nut-js library to gain interactive desktop control — mouse movements, keyboard input, and screen observation — giving Lazarus operators full access to the compromised developer's workstation.
What Gets Stolen
The malware targets the developer toolchain with surgical precision:
Developer Environment
- VS Code session history and workspace data
- Cursor AI editor history
- Windsurf IDE history
- Zsh / Bash shell history files (often contain API keys and commands)
Cloud Credentials
- AWS credentials (
~/.aws/credentials, environment variables) - Azure CLI tokens and service principal credentials
- GCP application default credentials
AI Service Keys
- Anthropic Claude API keys
- Google Gemini API keys
- Other AI service API keys stored in config files or environment
Other High-Value Data
- SSH private keys (
~/.ssh/) - Cryptocurrency wallet files
- Clipboard contents (monitored continuously)
- Browser saved passwords and session tokens
Attribution
JFrog and Checkmarx attribute this campaign to Lazarus Group, a North Korean state-sponsored threat actor (also tracked as UNC4899, Jade Sleet, and TraderTraitor by various vendors).
The targeting profile is consistent with Lazarus Group's established playbook:
- Cryptocurrency theft via developer machine compromise and wallet access
- Intelligence collection from cloud and AI environments
- Persistent access via remote desktop implants for long-term operations
The April 2026 predecessor campaign (108 packages, 261 versions) used similar infrastructure and techniques, confirming this is an active, iterative operation — not a one-off.
Indicators of Compromise
Network IOC
| IOC | Type | Description |
|---|---|---|
216.126.236[.]244 | IP Address | Stage-2 payload C2 server |
jsonkeeper.com | Domain | Stage-1 payload hosting (legitimate service abused) |
Package Names to Search For
# Check your package.json and lock files
grep -r "rollup-packages-polyfill-core\|rollup-runtime-polyfill-core\|quirky-token\|react-icon-svgs\|rollup-plugin-polyfill-connect\|swift-parse-stream" .
# Check global npm installs
npm list -g 2>/dev/null | grep -E "rollup-.*polyfill|quirky-token|swift-parse"Defensive Recommendations
Immediate Actions
- Audit dependencies — Search all
package.jsonand lock files for the named packages - Block the C2 IP — Add
216.126.236[.]244to firewall deny lists - Rotate potentially exposed credentials — If any of the malicious packages were installed, treat all stored credentials as compromised
- Enable npm provenance attestation — Verified provenance makes supply chain attacks significantly harder
Ongoing Hardening
# Enable npm audit in CI/CD
npm audit --audit-level=high
# Use lockfiles to prevent unexpected package resolution
npm ci # instead of npm install in CI
# Enable corepack for consistent package manager versions
corepack enableFor Organizations Using Rollup
Be especially cautious of any npm package with "rollup", "polyfill", or "runtime" in its name that you did not intentionally install. Verify the package maintainers match the official Rollup organization (rollup on npm).
# Verify official Rollup packages
npm view rollup maintainers
npm view @rollup/plugin-commonjs maintainersSources
- The Hacker News — North Korea-Linked npm Packages
- JFrog Security Research
- Checkmarx Supply Chain Research