Key Takeaways

  • JFrog uncovered six npm packages impersonating Rollup polyfill tooling that implemented multi-stage JavaScript malware.
  • The Lazarus Group is linked to the campaign, which targeted developer workstations and CI environments to steal cloud keys, AI tool secrets, and other credentials.
  • The incident highlights the expanding risk of software supply chain attacks across npm and PyPI, a trend underscored by NIST, Gartner, and ENISA research.

JFrog has published new findings pointing to another coordinated software supply chain intrusion tied to North Korea. The operation relied on npm packages crafted to resemble legitimate Rollup polyfill tooling and, at a glance, seemed plausible to any developer performing a quick dependency check. This surface-level believability enables the campaign to bypass rapid manual reviews.

According to JFrog, the two primary packages, rollup-packages-polyfill-core and rollup-runtime-polyfill-core, intentionally mimicked rollup-plugin-polyfill-node in naming, metadata, and structural layout. Four additional packages—quirky-token, react-icon-svgs, rollup-plugin-polyfill-connect, and swift-parse-stream—extended the campaign. All six have been removed from the npm registry.

These packages utilized a chained execution structure. Rollup-packages-polyfill-core pulled in swift-parse-stream, while rollup-runtime-polyfill-core installed quirky-token. React-icon-svgs brought in rollup-plugin-polyfill-connect as a second stage. These second-stage components pretended to be SVG sanitization utilities, but JFrog found that they contacted JSONKeeper to retrieve a JSON object, then executed the contents of its model field.

This layered architecture, hidden install-time execution, and environment checking closely align with previous North Korean Lazarus-linked npm campaigns. The script performed checks to avoid running in cloud IDEs, sandboxes, or analysis environments. After clearing those gates, it pulled an encrypted JavaScript payload from 216.126.236[.]244. That payload then served as a loader for remote access and data theft capabilities, including interactive terminal access, screenshot capture, process termination, browser data extraction, cryptocurrency wallet harvesting, and Windows-specific mouse and keyboard automation via the @nut-tree-fork/nut-js module.

Threat actors target Rollup plugins because they are frequently loaded in developer workstations, CI jobs, or local configuration files. JFrog pointed out that these paths often contain Git credentials, cloud keys, npm tokens, SSH keys, browser data, and other valuable assets. This context gives attackers broad access across the development pipeline.

The file collection routines searched for histories tied to Microsoft Visual Studio Code, Windsurf, and Cursor, along with developer configurations for AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, and various shell environments. For organizations accelerating AI pipelines, this reconnaissance targets proprietary model environments and platforms, putting both source code and critical configuration tokens at risk.

Industry research points to a broader shift in targeting. ENISA's 2023 supply chain report highlighted the rising use of open-source dependency impersonation across ecosystems like npm and PyPI. Meanwhile, the NIST SSDF publication from 2022 recommended verifying package integrity, provenance, and trust relationships inside CI pipelines, noting how adversaries increasingly target upstream developer tools rather than production systems directly. Gartner's 2023 forecast suggested that by 2025, 45% of global organizations would experience software supply chain attacks.

The rollout of this campaign intersects with other recent waves of repository poisoning. Checkmarx, SafeDep, and an AWS security researcher have each disclosed clusters of malicious packages in recent months. These include trojanized pyrogram forks with remote shell capabilities, npm packages targeting DeFi developers with infostealing logic, and postinstall credential harvesters that read ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.npmrc, and numerous other sensitive files. A separate npm package was even found pulling command and control instructions from an Ethereum smart contract.

This activity has led to more disciplined guidance from developer-focused communities. The Open Source Security Foundation and the broader DevSecOps community emphasize stronger dependency scanning, tighter restrictions on package publishing, and reproducible build processes. Analysts at the CNCF have also discussed the growing challenge of securing sprawling toolchains that mix first-party code with thousands of upstream open-source dependencies.

Attackers are moving upstream because developer environments offer a direct bridge into high-privilege systems. Developer laptops and CI systems carry a density of secrets that other endpoints do not, and adversaries target these environments to exploit their integrated access. Mitigation practices include rotating credentials after any suspicious package installation, blocking outbound traffic to known malicious hosts, enabling automated dependency scanning, and reducing the sprawl of unverified packages inside CI pipelines.

Incidents involving the Lazarus Group demonstrate that threat actors continuously target the software build process. Securing the modern supply chain requires treating dependency trust and continuous scanning as mandatory operational requirements rather than optional technical safeguards.