North Korea-linked threat actors deployed malicious npm packages designed to mimic legitimate Rollup polyfill tooling and harvest developer credentials and secrets.
JFrog researchers identified two fraudulent packages: "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core". Both packages closely replicate the legitimate "rollup-plugin-polyfill-node" project, including matching descriptions and repository metadata to deceive developers during installation.
The packages function as supply chain attack vectors targeting JavaScript developers who work with Rollup, a popular module bundler. When installed, the malicious packages execute code capable of extracting sensitive data from compromised systems. The threat actors designed the packages to operate quietly, avoiding immediate detection while exfiltrating developer credentials, API tokens, SSH keys, and environment variables.
This attack demonstrates a refined approach to npm ecosystem compromise. Rather than creating entirely new packages with suspicious names, the adversaries employed typosquatting and lookalike tactics, betting that developers working with Rollup polyfills would install what appeared to be legitimate build tools. The identical descriptions and metadata made the packages appear trustworthy to casual inspection.
The North Korean attribution carries particular weight. Historically, threat groups affiliated with North Korea's intelligence services, including the Lazarus Group, have targeted developers and cryptocurrency platforms to fund state operations and steal intellectual property. This new campaign aligns with their established playbook of targeting software supply chains.
The incident underscores the persistent risk posed by dependency confusion and typosquatting attacks in JavaScript ecosystems. Developers rely on npm for thousands of packages daily, and malicious actors exploit this trust. Even security-conscious teams can miss subtle naming variations during routine dependency updates.
JFrog's findings recommend developers audit their npm dependencies immediately. Organizations should verify package authenticity through checksums, review recent installations, and implement
