North Korea Linked npm Packages Impersonate Rollup Polyfill Tools To Target Developer Systems And Steal Secrets

Published:

Security researchers have identified a new software supply chain attack involving malicious npm packages linked to North Korea affiliated threat actors. According to findings from JFrog, the campaign uses packages designed to impersonate legitimate Rollup polyfill tooling in order to deceive developers and infiltrate development environments. The malicious packages, including “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core,” are crafted to closely resemble the legitimate “rollup-plugin-polyfill-node” project by copying descriptions, repository metadata, and structural elements. Researchers noted that the naming strategy places the malicious packages within a believable ecosystem of Rollup, polyfill, core, and node related dependencies, increasing the likelihood of accidental installation during routine dependency checks or quick reviews.

The campaign extends beyond these two packages and includes additional components such as “quirky-token,” “react-icon-svgs,” “rollup-plugin-polyfill-connect,” and “swift-parse-stream,” all of which have since been removed from the npm registry. The infection chain is structured in multiple stages, where the primary packages automatically install secondary payloads. For example, “rollup-packages-polyfill-core” installs “swift-parse-stream,” while “rollup-runtime-polyfill-core” installs “quirky-token,” and “react-icon-svgs” installs “rollup-plugin-polyfill-connect” as a secondary stage. These second stage packages are described as near identical SVG utility tools that retrieve JSON objects from a service called JSONKeeper and execute the content found in the model field. JFrog stated that the layered architecture combines legitimate looking metadata, hidden install time execution, environment detection checks, and credential theft or remote access functionality, resembling previous campaigns attributed to North Korean Lazarus linked npm activity.

The attack chain begins with a Base64 encoded npm install command embedded within “swift-parse-stream” or “quirky-token,” which is concealed inside the initial polyfill themed packages. Once executed, the second stage packages operate as disguised SVG sanitization utilities that connect to external JSONKeeper endpoints to retrieve and execute malicious JavaScript code. This code includes environment checks designed to avoid execution in cloud development environments, sandboxes, serverless systems, and analysis platforms. If the checks are passed, the malware proceeds to install dependencies and communicate with an external server located at 216.126.236.244 to retrieve an encrypted JavaScript payload. Once decrypted, the payload functions as a loader that enables remote access capabilities on compromised systems, including interactive terminal control, command execution, screenshot capture, process termination, and Windows specific input simulation such as mouse movements, clicks, scrolling, keyboard input, and hotkeys through the @nut-tree-fork/nut-js library. It also supports data theft from browsers and cryptocurrency wallets, file collection based on specific extensions, and periodic clipboard capture activity.

Researchers highlighted that the malware specifically targets developer environments where sensitive data is commonly stored. The file collection mechanism searches for configuration and history data from development tools such as Microsoft Visual Studio Code, Windsurf, Cursor, AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, SSH configurations, and Z shell environments. The campaign reflects a broader pattern of software supply chain attacks where open source ecosystems are abused to gain access to high value targets. JFrog noted that Rollup plugins are frequently loaded in local development environments, CI pipelines, and build systems where secrets such as API keys, SSH credentials, cloud tokens, and Git authentication data are often exposed. Once compromised, the malware provides both data collection and remote control capabilities, making developer workstations and build servers primary targets.

The disclosure also aligns with multiple concurrent supply chain attacks observed by security researchers from Checkmarx, SafeDep, and AWS researcher Chi Tran. These include trojanized PyPI packages under Operation Navy Ghost, npm packages targeting DeFi developers with infostealing capabilities, malicious npm scopes designed to harvest credentials from CI/CD environments, and other backdoor laden packages distributed across open source ecosystems. Security experts warn that organizations relying on open source dependencies face increasing risks as attackers continue to weaponize package repositories for stealthy infiltration. Users who may have installed any of the affected packages are advised to remove them immediately, assume potential system compromise, rotate all credentials, block suspicious outbound network traffic, and enable dependency scanning within CI/CD pipelines to detect newly introduced malicious packages.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Related articles

spot_img