{"id":736997,"date":"2026-07-04T14:00:39","date_gmt":"2026-07-04T11:00:39","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/north-korea-linked-npm-packages-impersonate-rollup-polyfill-tools-to-steal-developer-secrets\/"},"modified":"2026-07-04T14:00:39","modified_gmt":"2026-07-04T11:00:39","slug":"north-korea-linked-npm-packages-impersonate-rollup-polyfill-tools-to-steal-developer-secrets","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/north-korea-linked-npm-packages-impersonate-rollup-polyfill-tools-to-steal-developer-secrets\/","title":{"rendered":"North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a4f5c60c2e4c\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a4f5c60c2e4c\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/north-korea-linked-npm-packages-impersonate-rollup-polyfill-tools-to-steal-developer-secrets\/#TLDR\" >TL;DR<\/a><\/li><\/ul><\/nav><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/media.thenextweb.com\/2026\/07\/north-korea-npm-rollup-polyfill-developer-secrets.avif\" \/><\/p>\n<div id=\"article-main-content\">\n<div class=\"postContent-tldr\">\n<h4 class=\"postContent-offsetTitle\"><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TL;DR<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p><em>Six malicious npm packages mimicking Rollup polyfill tools stole developer credentials and enabled remote access in a Lazarus-linked campaign.<\/em><\/p>\n<\/div>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2026\/07\/north-korea-linked-npm-packages-mimic.html\" target=\"_blank\" rel=\"nofollow noopener\">Security researchers at JFrog have identified a set of malicious npm packages linked to North Korean threat<\/a> actors that impersonate legitimate Rollup polyfill tooling to steal developer credentials and enable remote access to compromised machines. The packages, named \u201c<em>rollup-packages-polyfill-core<\/em>\u201d and \u201c<em>rollup-runtime-polyfill-core,<\/em>\u201d mimic the legitimate \u201c<em>rollup-plugin-polyfill-node<\/em>\u201d project down to its de<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">script<\/a>ion, repository metadata, and package structure. All six packages in the campaign have since been removed from the npm registry.<\/p>\n<p>The attack uses a layered delivery chain designed to evade detection. The first-stage packages install hidden second-stage dependencies disguised as SVG utilities, which then fetch a JSON object from a remote hosting service and execute the payload embedded in it. JFrog said the structure, combined with lookalike names, legitimate-looking metadata, and environment checks designed to avoid sandboxes and cloud development platforms, is consistent with previous Lazarus-linked npm campaigns.<\/p>\n<p>Once the later stages execute, the malware gives the attacker both collection and control capabilities across the compromised machine. The payload steals data from web browsers and cryptocurrency wallets, captures clipboard content periodically, and harvests files matching specific extensions. It also targets developer tool configurations for VS Code, Windsurf, and Cursor, along with credentials for AWS, Microsoft Azure, Google Gemini, Anthropic Claude, and SSH keys.<\/p>\n<div class=\"inarticle-wrapper channel-cta\">\n<div class=\"ica-text\">\n<p class=\"ica-text__title\">TNW City Coworking space &#8211; Where your best work happens<\/p>\n<p>A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.<\/p>\n<\/div>\n<\/div>\n<p>The campaign is not an isolated incident. In April, researchers at Panther documented a sustained Lazarus npm operation that published 108 malicious packages across 261 versions to deliver BeaverTail and OtterCookie, two known North Korean malware families linked to the Contagious Interview campaign. The latest packages share features with OtterCookie, including the use of a forked keyboard and mouse control library that enables interactive remote terminal sessions, screenshot capture, and simulated user input on compromised Windows machines.<\/p>\n<p>The disclosure arrives alongside a broader wave of supply chain attacks targeting open-source package repositories. Checkmarx, SafeDep, and AWS researcher Chi Tran separately identified clusters of malicious packages across npm and PyPI that steal cloud credentials, cryptocurrency wallets, SSH keys, and developer secrets. Rollup plugins are commonly loaded from developer workstations and CI build pipelines, environments that have proven increasingly vulnerable to supply chain compromises and that often hold access to sensitive assets including source code, API keys, and project secrets.<\/p>\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/north-korea-npm-rollup-polyfill-developer-secrets\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR Six malicious npm packages mimicking Rollup polyfill tools stole developer credentials and enabled remote access in a Lazarus-linked campaign. Security researchers at JFrog have identified a set of malicious npm packages linked to North Korean threat actors that impersonate legitimate Rollup polyfill tooling to steal developer credentials and enable remote access to compromised machines&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":736998,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.thenextweb.com\/2026\/07\/north-korea-npm-rollup-polyfill-developer-secrets.avif","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-736997","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/736997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=736997"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/736997\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/736998"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=736997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=736997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=736997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}