Skip to content

North Korea-Linked npm Packages Disguise Themselves as Rollup Polyfills for Data Theft

In brief: Malicious npm packages impersonate legitimate Rollup polyfills and enable North Korean actors to steal data and gain remote access to developer systems.

Attackers with ties to North Korea are distributing manipulated npm packages that pose as legitimate Rollup polyfill tools and enable remote access and data theft. JFrog has analyzed the campaign and identified two suspicious packages.

Security firm JFrog has analyzed two malicious npm packages under the names “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core”. These mimic the legitimate project “rollup-plugin-polyfill-node” in meticulous detail: the description, repository metadata, and package structure match the original project to deceive developers into installation.

For a CTO, this supply-chain attack poses a significant risk. When developers integrate these packages as dependencies, the embedded malicious code can exfiltrate authentication credentials, API keys, environment variables, and other sensitive data from the development environment. Since polyfill tools are typically loaded during the build process, attackers can potentially gain access to CI/CD pipelines and production infrastructure.

The campaign underscores the need to regularly audit npm dependencies, verify package signatures, and deploy dependency-management tools such as npm audit or Software Composition Analysis (SCA). Particular attention should be paid to so-called “typosquatting” and “cousin domain” attacks, where attackers slightly modify the names of established projects.


Source: thehackernews.com · Published July 3, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: