North Korea NPM Packages Steal Developer Secrets via Fake Rollup Tools

·
Listen to this article~4 min
North Korea NPM Packages Steal Developer Secrets via Fake Rollup Tools

North Korean threat actors are using fake npm packages that mimic Rollup polyfill tools to steal developer secrets. Learn how they do it and how to protect yourself.

If you're a JavaScript developer using npm, you need to know about a sneaky new threat. Threat actors tied to North Korea have been caught pushing malicious npm packages that pretend to be legitimate Rollup polyfill tools. These packages are designed to steal your secrets and give attackers remote access to your machine. According to JFrog, the packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core" are the culprits. They copy the real "rollup-plugin-polyfill-node" project almost perfectly—right down to the description, repository metadata, and even the code structure. It's a classic disguise, but the stakes are high. ### What's the Big Deal? These packages aren't just annoying—they're dangerous. Once installed, they can: - Steal environment variables, API keys, and other sensitive data from your system - Give attackers a backdoor to remotely control your development environment - Exfiltrate code, credentials, and private project files Think of it like someone dressing up as a trusted delivery driver to get inside your home. You'd let them in because they look legit, but once inside, they're after your valuables. That's exactly what's happening here. ### How They Pull It Off The attackers mimic the real Rollup polyfill project so closely that even experienced developers might not spot the difference. They use the same names, descriptions, and metadata to trick npm users into downloading the malicious versions. Once installed, the packages execute code that connects to a remote server controlled by the attackers. This isn't a new tactic—state-sponsored groups have been using supply chain attacks for years. But it's getting more sophisticated. The packages are designed to blend in, making them harder to detect with automated tools. ### Who's at Risk? Any developer or organization that uses npm packages in their workflow could be targeted. That includes: - Solo developers building personal projects - Small startups relying on open-source dependencies - Large enterprises with complex CI/CD pipelines If you've ever installed a Rollup polyfill package without double-checking its source, you could be vulnerable. The attackers are betting on you trusting the package name and description at face value. ### What You Can Do About It First, don't panic. But do take action. Here are some practical steps: - Always verify the package source before installing. Check the npm page, the repository URL, and the author's history. - Use package-lock.json or yarn.lock to lock down versions and avoid accidental updates to malicious packages. - Run security audits regularly with tools like npm audit or Snyk. - Monitor your environment for unusual outbound connections, especially to unknown IP addresses. ### The Bigger Picture This attack is part of a broader trend: state-sponsored groups targeting the open-source ecosystem. North Korea's Lazarus Group and other actors have been linked to similar campaigns against cryptocurrency platforms and software developers. The goal is often to steal credentials, access sensitive systems, or fund illicit activities. For developers, this means being more vigilant than ever. The open-source community is built on trust, but trust alone isn't enough anymore. You need to verify, audit, and secure your dependencies. ### Final Thoughts This isn't just a technical issue—it's a reminder that your development environment is a target. The packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core" are known threats now, but new ones will pop up. Stay sharp, double-check everything, and don't let a fake package compromise your work. If you're using Rollup polyfills, take a minute to review your node_modules. It could save you a lot of trouble down the road.