North Korea-Linked npm Packages Simulate Multiple Wraps to Steal Developer Secrets

Threat actors with ties to North Korea have linked to a new set of malicious npm packages that masquerade as Rollup polyfill tools to facilitate access and data theft.
According to JFrog, the “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core” packages mimic the official “rollup-plugin-polyfill-node” project, down to the description, repository metadata, and package state.
“The same packages put you in the same wrapper, polyfill, context, and node naming space, which can be seen and heard during a quick dependency review,” JFrog said in the campaign’s technical writing.
This campaign also includes four other packages, all of which have been released from the npm directory –
- rollup-plugin-polyfill-connect
Notable here is that “rollup-packages-polyfill-core” includes and loads “swift-parse-stream,” while “rollup-runtime-polyfill-core” also includes “quirky-token.” In the same way, “react-icon-svgs” was found to include “rollup-plugin-polyfill-connect” as the second category.
“The second-stage packages are almost identical SVG services that download a JSON object from JSONKeeper and measure the model field,” the cybersecurity firm said. “This layered structure, along with similar names, legitimate-looking metadata, hidden installation time, environment testing, and data theft/remote access payloads, is similar to previous North Korean npm campaigns linked to Lazarus.”
It should be emphasized here that this is not the first time that North Korean threat actors have uploaded npm packages masquerading as Rollup polyfill tools. In April 2026, Panther detailed a sustained npm campaign that involved publishing 108 malicious npm packages spanning 261 versions to deliver BeaverTail and OtterCookie, two known malware families linked to Contagious Interview. Among those packages was “rollup-plugin-polyfill-route,” which was published on March 20, 2026.
The first point of attack is the Base64-encoded npm installation command “swift-parse-stream” (or “quirky-token”) hidden inside “rollup-packages-polyfill-core” (or “rollup-runtime-polyfill-core”). The two second-stage packages are dressed up as SVG sanitization utilities, while accessing the JSON Keeper URL to retrieve and execute the JavaScript malware.
JavaScript code uses testing to avoid deployment within cloud development environments, sandboxes, serverless runtimes, and analytics infrastructure. Before this gateway, the malware installs the necessary dependencies and accesses the external server (“216.126.236)[.]244”) to download encrypted JavaScript payloads.
The decrypted payload then acts as a loader for additional scripts responsible for enabling remote access to the compromised host to support interactive terminal sessions, command execution, screenshot capture, process termination, Windows-only mouse movement, clicks, scrolling, keyboard presses, and hotkeys using the “@nut-tree-fork/nut-js” package, as well as steal data from web browsers and cryptocurrency wallets, collect files to match certain extensions, and capture the contents of the clipboard from time to time.

The features overlap with those of OtterCookie, using “@nut-tree-fork/nut-js” for remote mouse and keyboard control also noted in the package called “express-session-js” which was detailed by SafeDep in April 2026. Part of the collection of files was found directly looking at the programming history associated with Microsoft Visual Tool, Microsoft Visual Studio configuration, such as AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, SSH, and Z shell (Zsh).
“Rollup plugins are often loaded from local setup files, developer workspaces, and CI jobs,” says JFrog. “These environments often have access to sensitive assets such as source code, npm tokens, Git credentials, cloud keys, SSH keys, browser data, and project secrets.”
“The payload is also broader than a simple download. Once the later stages are in place, the attacker gains both collection and control capabilities. This makes the payload compatible with developer workstations and build machines, where API keys, SSH keys, wallet assets, cloud credentials, and project secrets often reside.”
These disclosures coincide with the discovery of multiple software attacks by Checkmarx, SafeDep, and AWS security researcher Chi Tran aimed at poisoning open source repositories and stealing sensitive data –
- A cluster of at least eight trojanized “pyrogram” forks published by a threat actor operating under multiple identities between November 2025 and June 2026, including a hidden backdoor that grants them full remote control over any server running the infected PyPI package by running arbitrary Python code or shell commands sent by the attacker. The results of the order execution are issued via Telegram. The operation was codenamed Operation Navy Ghost by Checkmarx.
- A collection of 30 npm packages that emulate Polymarket tools and common math libraries published by 10 npm custodian accounts that guided DeFi developers to deliver a JavaScript infostealer that reads crypto wallet vaults, browser credentials, SSH keys, AWS credentials, npm tokens, Docker history configuration, and database management.
- A set of 25 npm packages published under the @marketfront scope by an npm account named “marketfront” that contains a post-install authentication harvester that reads 20 credentials and secrets files, including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.pnetrc, ~/.pnetrc, ~/.pnetrc, ~/. ~/.git-credentials, ~/.env, and shell history, and extract data.
- A Python package called “security-alerts-sdk” that claims to be a data breach monitoring tool but contains code to open a backdoor that often polls an external server (“142.93.211)[.]
- A cluster of 15 npm packages published by a single threat actor operating under 13 npm scopes that triggers a postinstall JavaScript payload responsible for downloading and executing a Rust-compiled ELF binary hosted on GitHub, which then harvests a wide range of data from cryptocurrency wallets, web browsers, and other applications, including cloud provider tokens, SSH keys, messaging platform sessions, database client configuration, and developer information.
- An npm package named “events-runtime” that typosquats the “events” package and conditionally spawns a cryptocurrency wallet stealer, exfiltrates host reconnaissance data over Slack and Telegram, opens a bidirectional Slack command channel, and reads configuration and payload chunks from an Ethereum smart contract used as a dead drop resolver. Malicious reasoning is only fired if the event ID is “eventId0.”



