Threat actors linked to North Korea have published a pair of malicious npm packages designed to impersonate a well-known Rollup ecosystem tool, according to research from JFrog. The packages, named rollup-packages-polyfill-core and rollup-runtime-polyfill-core, closely mimic the legitimate rollup-plugin-polyfill-node project, copying its description, repository metadata, and other identifying details to appear credible to unsuspecting developers.
Typosquatting With a Convincing Facade
The campaign reflects a continued pattern of supply chain attacks targeting the JavaScript ecosystem. By replicating the surface-level attributes of a trusted package, the threat actors increase the likelihood that developers will install the malicious versions, either through direct confusion or automated dependency resolution. The attention to metadata detail, including matching repository references and package descriptions, makes these packages harder to dismiss on casual inspection.
Goals: Remote Access and Data Exfiltration
JFrog’s analysis indicates the packages are designed to enable remote access to compromised developer machines and facilitate theft of sensitive data. Developer workstations are a high-value target in supply chain operations, as they commonly hold source code, API keys, cloud credentials, and access tokens for internal systems.
North Korea’s Persistent npm Targeting
This activity fits within a broader, well-documented campaign by North Korea-affiliated groups to infiltrate software supply chains through malicious open-source packages. Previous operations have used similar tactics across npm and other package registries, often targeting cryptocurrency-related projects and developer tooling as initial access vectors.
Security teams maintaining JavaScript projects should audit their dependency trees for these package names and verify that any Rollup-related polyfill dependencies resolve to the legitimate rollup-plugin-polyfill-node package from its official source. Enabling package integrity checks and restricting installs to known-good registries can reduce exposure to this class of attack.
