North Korean Hackers Target Developers with Fake npm Rollup Packages
Malicious npm packages mimicking popular Rollup polyfill tools have been linked to North Korean threat actors. These packages aim to steal developer credentials and enable remote access.
TL;DR
- North Korea-linked threat actors published fake npm packages resembling Rollup polyfills.
- Packages include rollup-packages-polyfill-core and rollup-runtime-polyfill-core.
- They imitate the legitimate rollup-plugin-polyfill-node project closely.
- Goal is to steal developer secrets and establish backdoor access.
- Developers using npm should verify package authenticity and sources.
Cybersecurity researchers have uncovered a new supply chain attack vector originating from threat actors linked to North Korea. These attackers have published malicious packages on the npm registry designed to deceive developers by impersonating trusted tooling.
The packages in question—'rollup-packages-polyfill-core' and 'rollup-runtime-polyfill-core'—are nearly identical in appearance and metadata to the widely used 'rollup-plugin-polyfill-node'. This mimicry makes them particularly dangerous, especially for development teams relying on automated dependency management.
Attack Details
- The malicious packages were uploaded to the public npm registry.
- They replicate repository information, descriptions, and naming conventions of legitimate projects.
- Once installed, they can exfiltrate sensitive environment variables and developer credentials.
- Remote access capabilities allow persistent presence within compromised environments.
Defense Recommendations
- Verify package names and authors before installation, even if they appear familiar.
- Use lock files and dependency pinning to prevent unexpected updates.
- Monitor for unusual network activity or file access patterns post-installation.
- Employ software composition analysis (SCA) tools to detect known malicious packages.
- Restrict npm publish permissions and use private registries where possible.
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.