hacker-news · Crawled Jul 5, 2026

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

15 IoCs 2 Malware
Read original article ↗

AI Summary

North Korean threat actors have been linked to a software supply chain attack involving malicious npm packages that impersonate legitimate Rollup polyfill tools. The packages, such as 'rollup-packages-polyfill-core' and 'rollup-runtime-polyfill-core', install secondary-stage malicious dependencies to steal developer secrets and enable remote access. The malware evades analysis environments, exfiltrates credentials, and supports interactive command execution, targeting developer workstations and CI/CD systems. This activity mirrors previous Lazarus-linked campaigns exploiting npm for credential theft.

AI-extracted · verify before operational use

Extracted Entities 2 found

Indicators of Compromise 15 extracted

Type Value Detail
IP 216.126.236.244 Details →
IP 142.93.211.30 Details →
Domain jsonkeeper.com Details →
Package rollup-packages-polyfill-core Details →
Package rollup-runtime-polyfill-core Details →
Package quirky-token Details →
Package react-icon-svgs Details →
Package rollup-plugin-polyfill-connect Details →
Package swift-parse-stream Details →
Package express-session-js Details →
Package security-alerts-sdk Details →
Package events-runtime Details →
Package o3forms Details →
GitHub Repo marketfront Details →
Registry User marketfront Details →

MITRE ATT&CK TTPs 17 techniques