hacker-news · Crawled Jul 5, 2026
North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets
15 IoCs 2 Malware
Read original article ↗
AI Summary
North Korean threat actors have been linked to a software supply chain attack involving malicious npm packages that impersonate legitimate Rollup polyfill tools. The packages, such as 'rollup-packages-polyfill-core' and 'rollup-runtime-polyfill-core', install secondary-stage malicious dependencies to steal developer secrets and enable remote access. The malware evades analysis environments, exfiltrates credentials, and supports interactive command execution, targeting developer workstations and CI/CD systems. This activity mirrors previous Lazarus-linked campaigns exploiting npm for credential theft.
AI-extracted · verify before operational use
Extracted Entities 2 found
Indicators of Compromise 15 extracted
| Type | Value | Detail |
|---|---|---|
| IP | 216.126.236.244 | Details → |
| IP | 142.93.211.30 | Details → |
| Domain | jsonkeeper.com | Details → |
| Package | rollup-packages-polyfill-core | Details → |
| Package | rollup-runtime-polyfill-core | Details → |
| Package | quirky-token | Details → |
| Package | react-icon-svgs | Details → |
| Package | rollup-plugin-polyfill-connect | Details → |
| Package | swift-parse-stream | Details → |
| Package | express-session-js | Details → |
| Package | security-alerts-sdk | Details → |
| Package | events-runtime | Details → |
| Package | o3forms | Details → |
| GitHub Repo | marketfront | Details → |
| Registry User | marketfront | Details → |
MITRE ATT&CK TTPs 17 techniques
T1005 Data from Local System · Collection T1027 Obfuscated Files or Information · Defense Evasion T1056.001 Keylogging · Collection T1056.002 GUI Input Capture · Collection T1059.007 JavaScript · Execution T1071 Application Layer Protocol · Command And Control T1071.001 Web Protocols · Command And Control T1082 System Information Discovery · Discovery T1114 Email Collection · Collection T1195.002 Compromise Software Supply Chain · Initial Access T1555 Credentials from Password Stores · Credential Access T1566 Phishing · Initial Access T1003 OS Credential Dumping · Credential Access T1059.001 PowerShell · Execution T1071.003 Mail Protocols · Command And Control T1482 Domain Trust Discovery · Discovery T1490 Inhibit System Recovery · Impact