Full Report
Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft. According to JFrog, the packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core" mimic the legitimate "rollup-plugin-polyfill-node" project, down to the description, repository metadata, and
Analysis Summary
# Threat Actor: Lazarus Group (related to Contagious Interview)
## Attribution & Identity
* **Actor Identification:** Threat actors linked to North Korea (DPRK).
* **Known Associations:** Lazarus Group, Contagious Interview.
* **Note:** The campaign is linked to high-profile North Korean hacking units known for targeting the software supply chain and crypto-assets.
## Activity Summary
* **Campaign (2026):** A sophisticated supply chain attack involving malicious npm packages masquerading as legitimate Rollup polyfill tools. This campaign uses layered execution and heavily obfuscated JavaScript to deliver info-stealers and Remote Access Trojans (RATs).
* **Related Operations:** Similar to the April 2026 campaign that published 108 malicious packages (e.g., `rollup-plugin-polyfill-route`) to deliver the "BeaverTail" and "OtterCookie" malware families.
## Tactics, Techniques & Procedures
* **Typosquatting/Masquerading:** Using package names like `rollup-packages-polyfill-core` and `rollup-runtime-polyfill-core` to mimic the legitimate `rollup-plugin-polyfill-node`.
* **Staged Execution:** A multi-stage infection chain where a primary package calls a second-stage utility (e.g., `swift-parse-stream`) to evade initial detection.
* **Evasion:** Malware conducts environment checks to detect if it is running in a sandbox, cloud development environment, or analysis infrastructure before executing the final payload.
* **Remote Keyboard/Mouse Control:** Utilization of the `@nut-tree-fork/nut-js` package to facilitate interactive sessions (mouse movement, clicks, scrolling).
* **Information Facilitation:** Use of JSONKeeper to host malicious JSON models that trigger the `eval()` function for code execution.
## Targeting
* **Sectors:** Software Development, Cryptocurrency, Cloud Services.
* **Geography:** Global (targeting developers regardless of region).
* **Victims:** Individual software developers, DevOps engineers using npm/Javascript ecosystems, and users of AI-assisted coding tools (Cursor, Windsurf).
## Tools & Infrastructure
* **Malware Families:** OtterCookie, BeaverTail (by association with similar TTPs).
* **Malicious npm Packages:**
* `rollup-packages-polyfill-core`
* `rollup-runtime-polyfill-core`
* `quirky-token`
* `react-icon-svgs`
* `rollup-plugin-polyfill-connect`
* `swift-parse-stream`
* **Infrastructure:**
* **C2 IP:** 216.126.236[.]244
* **Data Hosting:** JSONKeeper (used for staging payloads)
## Implications
The campaign demonstrates a highly targeted approach toward the modern developer stack. By moving beyond general system info-stealing to specifically targeting AI tool configurations (Gemini, Claude) and modern IDE histories (Cursor), the attackers are attempting to pivot into secure cloud environments and proprietary codebases where API keys and SSH secrets reside.
## Mitigations
* **Dependency Auditing:** Perform rigorous reviews of `package.json` files for new or unfamiliar polyfill/node plugins. Use tools like `npm audit` or JFrog’s security scanners.
* **Restrict Installation:** Where possible, limit the use of install-time scripts (`ignore-scripts`) to prevent automatic execution of malicious code during the `npm install` phase.
* **Secrets Management:** Use hardware security modules (HSMs) or dedicated secret management services (AWS Secrets Manager, HashiCorp Vault) rather than storing keys in `.env` files or local Zsh/IDE configurations.
* **Network Monitoring:** Monitor and alert on outbound connections to known low-reputation staging sites like JSONKeeper or the identified C2 IP address.