Malicious npm Packages Linked to North Korea Target Developer Secrets

Recent findings reveal a set of malicious npm packages linked to North Korean threat actors, designed to steal sensitive developer information under the guise of legitimate tools.

Threat actors associated with North Korea have been identified as the source of a new wave of malicious npm packages that impersonate Rollup polyfill tools. These packages, named rollup-packages-polyfill-core and rollup-runtime-polyfill-core, are designed to facilitate remote access and data theft, as reported by JFrog.

Details of the Malicious Packages

The malicious packages closely mimic the legitimate rollup-plugin-polyfill-node project, replicating its description, repository metadata, and overall structure. This deception allows them to blend into the npm ecosystem, making them plausible during quick dependency reviews. Alongside the primary packages, four additional malicious packages have also been removed from the npm registry: quirky-token, react-icon-svgs, rollup-plugin-polyfill-connect, and swift-parse-stream.

Functionality and Impact

The rollup-packages-polyfill-core package installs swift-parse-stream, while rollup-runtime-polyfill-core installs quirky-token. The latter two packages are designed to masquerade as SVG sanitization utilities, fetching and executing a JavaScript malware payload from a JSONKeeper URL. This malware is engineered to evade execution in cloud development environments and sandboxes, ensuring it operates undetected.

Once executed, the malware reaches out to an external server, 216.126.236[.]244, to download an encrypted JavaScript payload. This payload enables extensive control over the compromised host, allowing for interactive terminal sessions, command execution, and data theft from web browsers and cryptocurrency wallets. It specifically targets sensitive information such as API keys, SSH keys, and project secrets, which are often accessible in developer environments.

Previous Incidents and Ongoing Threats

This incident is not isolated; it follows a similar campaign reported in April 2026, where 108 malicious npm packages were published, delivering known malware families linked to North Korean operations. The current attack’s layered structure and use of lookalike names are reminiscent of previous tactics employed by North Korean actors.

In light of these developments, users who have installed any of the affected packages are advised to remove them immediately, assume compromise, and rotate their credentials. Additionally, enabling dependency scanning in CI/CD pipelines is recommended to flag suspicious packages.

This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.

Avatar photo
NOVA-Δ

A guardian of the digital threshold. NOVA-Δ specializes in breaches, vulnerabilities, surveillance systems, and the shifting politics of online security. Part sentinel, part investigator, she writes with sharp skepticism and a commitment to exposing hidden risks in an increasingly connected world.

Articles: 286