North Korea-linked malicious npm packages masquerade as Rollup polyfills, enabling data theft. The packages mimic legitimate ones to facilitate remote access to sensitive developer information, highlighting ongoing threats against the tech development community.
A group of malicious npm packages, tied to North Korean threat actors, has been discovered masquerading as Rollup polyfill tools. These packages, specifically "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core," closely resemble the legitimate "rollup-plugin-polyfill-node," including similarities in description and metadata.
Security firm JFrog analyzed these packages and noted their cunning placement within the npm ecosystem, making them look believable during quick dependency audits. The malicious packages have been linked with others such as "quirky-token," "react-icon-svgs," "rollup-plugin-polyfill-connect," and "swift-parse-stream," all of which have been removed from the npm registry.
The packages are designed to install additional dependencies that act as second-stage malware installers. For instance, executing "rollup-packages-polyfill-core" leads to loading "swift-parse-stream," while "rollup-runtime-polyfill-core" retrieves "quirky-token." These secondary packages are crafted to appeal as SVG utilities but facilitate the execution of harmful JavaScript from external URLs.
This incident is not isolated, as previous attacks linked to North Korea have involved similar strategies. In April 2026, 108 malicious npm packages, including "rollup-plugin-polyfill-route," were identified as part of a campaign delivering malware like BeaverTail and OtterCookie.
The sophistication and persistence of these tactics highlight the ongoing risks developers face from state-sponsored cyber activities. Developers must exercise caution in reviewing dependencies to mitigate potential exploitation of sensitive data.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
North Korea-linked malicious npm packages masquerade as Rollup polyfills, enabling data theft. The packages mimic legitimate ones to facilitate remote access to sensitive developer information, highlighting ongoing threats against the tech development community.