Digital Blog
Cybersecurity

North Korea-linked npm malware mimics Rollup polyfills

North Korea-linked npm malware posing as Rollup polyfills stole browser data, crypto-wallet files and developer secrets, JFrog said.

By Reza Khalil3 min read
JavaScript code on a monitor illustrating developer tooling and supply-chain security risk

Security researchers at JFrog Security Research say six malicious npm packages posing as Rollup polyfills were used to steal browser data, crypto-wallet files and developer secrets in a campaign linked to North Korean actors. JFrog said the packages could also give attackers remote access to infected machines.

The cluster impersonated Rollup-related utilities around rollup-plugin-polyfill-node, a legitimate package with about 295,000 weekly downloads and 1.2 million downloads over the past month. For front-end and Node.js teams, the placement is the problem. Build tooling is installed quickly, copied between projects or pulled into CI jobs, and a familiar package name can pass through a long dependency list without attracting a second look.

According to JFrog, the malware first profiled the host. It then searched Chromium-based browsers and crypto-wallet directories before fetching more code from a command-and-control server. The second stage was a 114KB AES-wrapped JavaScript payload that, once decrypted, expanded the theft to stored credentials and other developer secrets while leaving a route for remote control.

Browser data gives attackers a practical shortcut. Developers often keep cloud consoles, code-hosting accounts and internal dashboards signed in on the same workstation they use for builds, so a local package install can expose more than the project that pulled it in.

That is the developer-workstation angle security teams may miss if they look only for poisoned production artefacts.

The names were built for a quick glance rather than a close audit. In its report, JFrog wrote that “the names remain close to the legitimate project without being exact typos.”

That choice meant the cluster did not need to mimic a major framework or take over a well-known account. A familiar-looking helper package inside a build stack can still reach a developer machine, particularly when an install script runs before anyone reviews the code behind the package.

JFrog linked the campaign to Lazarus Group through code overlaps and operational similarities, but did not present the attribution as settled. SecurityOnline noted that “the link rests on similarity, not hard proof”, a useful caveat for teams deciding how widely to scope an incident response. The technique still fits a broader pattern in North Korea-linked supply-chain activity, where modest packages and post-install scripts are used to reach developer credentials, browser sessions and cryptocurrency assets.

For software teams, the risk is not limited to tainted production code. A compromised package can make the developer workstation the primary target, exposing tokens, stored passwords and session material that may open source repositories, cloud services or internal admin tools. That is harder to spot than a broken application build, especially in JavaScript projects that inherit hundreds of transitive packages and rely on small helpers maintained outside the core application team. The same exposure can matter for Australian companies using offshore contractors, shared build agents or bring-your-own-device arrangements, where the boundary between local workstation and corporate system is already blurred.

The JFrog findings put more pressure on organisations to review how new npm dependencies enter local machines and automated build pipelines. Defenders should watch for unfamiliar Rollup-related packages, scrutinise post-install behaviour and treat browser-stored developer data as part of the supply-chain attack surface.

ChromiumJFrogLazarus GroupNode.jsnpmRollup
Reza Khalil

Reza Khalil

Cybersecurity reporter covering breaches, threat intel, and the ACSC beat. Former incident responder. Reports from Canberra.

Related