Close Menu
    What's Hot

    Here’s how you can save 50¢ per gallon on gas this July 4 weekend

    Once the Centerpiece of Celebration, a Faded Declaration Recedes

    Egypt team staffer in altercation with Dallas police – Live Updates

    Facebook X (Twitter) Instagram
    Trending
    • Here’s how you can save 50¢ per gallon on gas this July 4 weekend
    • Once the Centerpiece of Celebration, a Faded Declaration Recedes
    • Egypt team staffer in altercation with Dallas police – Live Updates
    • A U.S. Independence Celebration Damaged a Museum in Belgium
    • Chevy built an all-American EV truck — why is nobody buying it?
    • Wealth managers use ‘deliberate obfuscation’ over fees, industry chief warns
    • Bristow Group: Flying Into My Portfolio As I Open A Position (NYSE:VTOL)
    • Lewis Hamilton eyes British Grand Prix Sprint victory after taking ‘amazing surprise’ pole at Silverstone for Ferrari | F1 News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

    adminBy adminJuly 3, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets
    Share
    Facebook Twitter LinkedIn Pinterest Email

    North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

    Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft.

    According to JFrog, the packages “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core” mimic the legitimate “rollup-plugin-polyfill-node” project, down to the description, repository metadata, and package shape.

    “The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review,” JFrog said in a technical write-up of the campaign.

    The campaign also involves four other packages, all of which have since been removed from the npm registry –

    • quirky-token
    • react-icon-svgs
    • rollup-plugin-polyfill-connect
    • swift-parse-stream

    What’s noteworthy here is that “rollup-packages-polyfill-core” installs and loads “swift-parse-stream,” while “rollup-runtime-polyfill-core” installs and “quirky-token.” In a similar fashion, “react-icon-svgs” has been found to install “rollup-plugin-polyfill-connect” as a second stage.

    Cybersecurity

    “The second-stage packages are near-identical SVG utilities that fetch a JSON object from JSONKeeper and eval the model field,” the cybersecurity company said. “This layered structure, together with the lookalike names, legitimate-looking metadata, hidden install-time execution, environment checks, and credential-theft/remote-access payloads, is similar to previous North Korean Lazarus-linked npm campaigns.”

    It’s worth emphasizing here that this is not the first time North Korean threat actors have uploaded npm packages impersonating Rollup polyfill tools. In April 2026, Panther detailed a sustained npm campaign that involved publishing 108 malicious npm packages spanning 261 versions to deliver BeaverTail and OtterCookie, two known malware families linked to Contagious Interview. Among those packages was “rollup-plugin-polyfill-route,” which was published on March 20, 2026.

    The starting point of the attack is a Base64-encoded npm install command for “swift-parse-stream” (or “quirky-token”) that’s concealed within “rollup-packages-polyfill-core” (or “rollup-runtime-polyfill-core”). The two second-stage packages are dressed up as SVG sanitization utilities, while reaching out to a JSON Keeper URL to retrieve and execute a JavaScript malware.

    The JavaScript code runs checks to avoid execution within cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure. Past this gate, the malware installs the necessary dependencies and reaches out to an external server (“216.126.236[.]244”) to fetch an encrypted JavaScript payload.

    The decrypted payload then acts as a loader for additional scripts responsible for enabling remote access to the compromised host to support interactive terminal sessions, command execution, screenshot capture, process termination, Windows-only mouse movement, clicks, scrolling, keyboard presses, and hotkeys using the “@nut-tree-fork/nut-js” package, as well as steal data from web browsers and cryptocurrency wallets, collect files matching specific extensions, and periodically capture clipboard content.

    The features overlap with those of OtterCookie, with the use of “@nut-tree-fork/nut-js” for remote mouse and keyboard control also observed in a package named “express-session-js” that was detailed by SafeDep in April 2026. The file collector component has been found to specifically look for editor history associated with Microsoft Visual Studio Code, Windsurf, and Cursor, along with developer and AI tool configurations, such as AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, SSH, and Z shell (Zsh).

    “Rollup plugins are commonly loaded from local configuration files, developer workstations, and CI jobs,” JFrog said. “These environments often have access to sensitive assets such as source code, npm tokens, Git credentials, cloud keys, SSH keys, browser data, and project secrets.”

    “The payload is also broader than a simple downloader. Once the later stages run, the attacker gains both collection and control capabilities. This makes the payload relevant to developer workstations and build machines, where API keys, SSH keys, wallet material, cloud credentials, and project secrets are often present.”

    Cybersecurity

    The disclosure coincides with the discovery of multiple software supply chain attacks by Checkmarx, SafeDep, and AWS security researcher Chi Tran aimed at poisoning open-source package repositories and stealing valuable data –

    • A cluster of at least eight trojanized “pyrogram” forks published by a threat actor operating under multiple identities between November 2025 and June 2026, including a hidden backdoor that grants them full remote control over any server running the infected PyPI package by running arbitrary Python code or shell commands sent by the attacker. The results of the command execution are exfiltrated via Telegram. The activity has been codenamed Operation Navy Ghost by Checkmarx.
    • A cluster of 30 npm packages mimicking Polymarket tooling and general mathematics libraries published by 10 npm maintainer accounts that targeted DeFi developers to deliver a JavaScript infostealer that reads crypto wallet vaults, browser credentials, SSH keys, AWS credentials, npm tokens, Docker configurations, shell history, and password manager databases.
    • A cluster of 25 npm packages published under the @marketfront scope by an npm account named “marketfront” that contains a postinstall credential harvester that reads 20 credential and secret files, including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, and shell history, and exfiltrates the data.
    • A Python package named “security-alerts-sdk” that claims to be a data breach-monitoring tool but harbors code to launch a backdoor that periodically polls an external server (“142.93.211[.]30:5000”) for commands and exfiltrates SSH private keys, AWS credentials, Docker/npm/PyPI/git tokens, .env files, and browser credential databases to the same server.
    • A cluster of 15 npm packages published by a single threat actor operating under 13 npm scopes that triggers a postinstall JavaScript payload responsible for downloading and executing a Rust-compiled ELF binary hosted on GitHub, which then harvests a wide range of data from cryptocurrency wallets, web browsers, and other applications, including cloud provider tokens, SSH keys, messaging platform sessions, database client configurations, and developer credentials.
    • An npm package named “events-runtime” that typosquats the “events” package and conditionally spawns a cryptocurrency wallet stealer, exfiltrates host reconnaissance data over Slack and Telegram, opens a bidirectional Slack command channel, and reads configuration and payload chunks from an Ethereum smart contract used as a dead drop resolver. The malicious logic is fired only when the event ID is “eventId0.”
    • An npm package named “o3forms” that steals cloud service provider credentials, scans developer secrets and CI/CD environments, performs internal network reconnaissance, and exfiltrates the data to an attacker-controlled Cloudflare Workers endpoint. “The attacker split the attack into a deliberately benign, registry-published package and a GitHub-pinned *-utils sub-dependency that carries both the install hooks and the actual malware,” Tran said. “This structure is designed specifically to defeat the static and lifecycle-script scanning that most registry-side and CI-side tooling relies on.”

    Users who have installed any of the aforementioned packages are advised to remove them from their workstations, assume compromise and rotate credentials, block the malicious egress channels, and enable dependency scanning in CI/CD pipelines to flag newly published or suspicious packages.

    developer KoreaLinked Mimic North npm Packages Polyfills rollup Secrets steal
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleArgentina returns to Miami under tighter security – Live Updates
    Next Article Lewis Hamilton eyes British Grand Prix Sprint victory after taking ‘amazing surprise’ pole at Silverstone for Ferrari | F1 News
    admin
    • Website

    Related Posts

    Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

    July 3, 2026

    Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

    July 3, 2026

    European Parliament Member Investigating Spyware Was Hacked With Pegasus

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Here’s how you can save 50¢ per gallon on gas this July 4 weekend

    Once the Centerpiece of Celebration, a Faded Declaration Recedes

    Egypt team staffer in altercation with Dallas police – Live Updates

    A U.S. Independence Celebration Damaged a Museum in Belgium

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by