North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets
North Korean-linked threat actors have been using fake Rollup polyfill npm packages to deliver layered malware that enables remote access, credential theft, and data collection from developer environments. The campaign overlaps with earlier Lazarus-linked npm activity and targets sensitive assets such as source code, cloud keys, SSH keys, browser data, and cryptocurrency wallets. #Rollup #Lazarus #BeaverTail #OtterCookie #ContagiousInterview

Keypoints

  • Fake npm packages mimicked legitimate Rollup polyfill tooling to appear trustworthy.
  • The malicious packages used hidden install-time execution and staged payload delivery.
  • Second-stage components fetched and executed JavaScript from JSONKeeper.
  • The payload provided remote access, screen capture, input control, and file theft.
  • Similar npm and PyPI supply chain attacks also targeted credentials and secrets.

Read More: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html