North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets



TL;DR

Six malicious npm packages mimicking Rollup polyfill tools stole developer credentials and enabled remote access in a Lazarus-linked campaign.

Security researchers at JFrog have identified a set of malicious npm packages linked to North Korean threat actors that impersonate legitimate Rollup polyfill tooling to steal developer credentials and enable remote access to compromised machines. The packages, named “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core,” mimic the legitimate “rollup-plugin-polyfill-node” project down to its description, repository metadata, and package structure. All six packages in the campaign have since been removed from the npm registry.

The attack uses a layered delivery chain designed to evade detection. The first-stage packages install hidden second-stage dependencies disguised as SVG utilities, which then fetch a JSON object from a remote hosting service and execute the payload embedded in it. JFrog said the structure, combined with lookalike names, legitimate-looking metadata, and environment checks designed to avoid sandboxes and cloud development platforms, is consistent with previous Lazarus-linked npm campaigns.

Once the later stages execute, the malware gives the attacker both collection and control capabilities across the compromised machine. The payload steals data from web browsers and cryptocurrency wallets, captures clipboard content periodically, and harvests files matching specific extensions. It also targets developer tool configurations for VS Code, Windsurf, and Cursor, along with credentials for AWS, Microsoft Azure, Google Gemini, Anthropic Claude, and SSH keys.

The campaign is not an isolated incident. In April, researchers at Panther documented a sustained Lazarus npm operation that published 108 malicious packages across 261 versions to deliver BeaverTail and OtterCookie, two known North Korean malware families linked to the Contagious Interview campaign. The latest packages share features with OtterCookie, including the use of a forked keyboard and mouse control library that enables interactive remote terminal sessions, screenshot capture, and simulated user input on compromised Windows machines.

The disclosure arrives alongside a broader wave of supply chain attacks targeting open-source package repositories. Checkmarx, SafeDep, and AWS researcher Chi Tran separately identified clusters of malicious packages across npm and PyPI that steal cloud credentials, cryptocurrency wallets, SSH keys, and developer secrets. Rollup plugins are commonly loaded from developer workstations and CI build pipelines, environments that have proven increasingly vulnerable to supply chain compromises and that often hold access to sensitive assets including source code, API keys, and project secrets.



Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


AirPods Pro 3

Jada Jones/ZDNET

This year’s WWDC is packed with announcements, including customization to the Liquid Glass display, substantial upgrades to Siri, and more intuitive device functionality.

Also: Apple WWDC 2026: Live updates on iOS 27, Siri, and Tim Cook’s last event as CEO

If you’re an avid AirPods user, there’s one announcement that may excite you, but speakers breezed past it, offering hardly any details. Still, Apple promised a real equalizer in iOS 27, finally giving users the opportunity to customize the sound of their AirPods. 

Apple didn’t say much about the equalizer, but a brief animation showed a graphic EQ, with options to create a custom EQ profile or choose Apple’s recommended EQ settings. Users can adjust lows, mids, and highs, though it’s unclear how precise the equalizer will be.

AirPods EQ WWDC

Apple

Previously, Apple had full faith in its headphones’ sound profile, vowing that its sound engineers crafted AirPods to sound as best as possible. Still, users prefer some control over their devices, and a custom EQ is a welcome addition.

Also: The feature Apple needs to make HomePod stand out isn’t audio-related

AirPods users could only change their AirPods sound profiles in Apple Music settings, and this customization feature still limited them to preset EQ profiles. 

An equalizer is a staple feature for consumer headphones, and even the most limited equalizers are better than none. Bose’s equalizer, for example, allows users to toggle bass, mids, and treble on a 20-point scale. 

Other companies, like JBL, offer a detailed equalizer with 10 frequency bands, adjustable in Hz. I don’t expect Apple’s equalizer to be as thorough as JBL’s, but instead to be on par with Bose’s. Either way, even if you’re content with your AirPods’ sound profile, the option to change it is what matters. 





Source link