Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft. According to JFrog, the packages “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core” mimic the legitimate “rollup-plugin-polyfill-node” project, down to the description, repository metadata, and package shape.
The campaign also involves four other packages: quirky-token, react-icon-svgs, rollup-plugin-polyfill-connect, and swift-parse-stream. The second-stage packages are near-identical SVG utilities that fetch a JSON object from JSONKeeper and eval the model field. This layered structure is similar to previous North Korean Lazarus-linked npm campaigns.
The malware runs checks to avoid execution within cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure. Past this gate, it installs dependencies and reaches out to an external server to fetch an encrypted JavaScript payload. The decrypted payload acts as a loader for additional scripts responsible for enabling remote access, command execution, screenshot capture, process termination, and data theft from web browsers and cryptocurrency wallets.
The disclosure coincides with the discovery of multiple software supply chain attacks by Checkmarx, SafeDep, and AWS security researcher Chi Tran aimed at poisoning open-source package repositories and stealing valuable data. Users who have installed any of the aforementioned packages are advised to remove them, assume compromise, rotate credentials, block malicious egress channels, and enable dependency scanning in CI/CD pipelines.
CVEs: CVE-2026-55200, CVE-2026-46817
Attack groups: Lazarus Group, Contagious Interview
Malware: BeaverTail, OtterCookie
Companies: JFrog, Checkmarx, SafeDep, AWS
Products: Microsoft Visual Studio Code, Windsurf, Cursor, npm, PyPI, GitHub, Slack, Telegram, Cloudflare Workers, Ethereum, JSONKeeper
Original source: thehackernews.com