North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets
TL;DR
Six malicious npm packages mimicking Rollup polyfill tools stole developer credentials and enabled remote access in a Lazarus-linked campaign.
Security researchers at JFrog have identified a set of malicious npm packages linked to North Korean threat actors that impersonate legitimate Rollup polyfill tooling to steal developer credentials and enable remote access to compromised machines. The packages, named “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core,” mimic the legitimate “rollup-plugin-polyfill-node” project down to its description, repository metadata, and package structure. All six packages in the campaign have since been removed from the npm registry.
The attack uses a layered delivery chain designed to evade detection. The first-stage packages install hidden second-stage dependencies disguised as SVG utilities, which then fetch a JSON object from a remote hosting service and execute the payload embedded in it. JFrog said the structure, combined with lookalike names, legitimate-looking metadata, and environment checks designed to...
Copyright of this story solely belongs to thenextweb.com. To see the full text click HERE