2d ago · hacker-news
North Korean threat actors have been linked to a software supply chain attack involving malicious npm packages that impersonate legitimate Rollup polyfill tools. The packages, such as 'rollup-packages-polyfill-core' and 'rollup-runtime-polyfill-core', install secondary-stage malicious dependencies to steal developer secrets and enable remote access. The malware evades analysis environments, exfiltrates credentials, and supports interactive command execution, targeting developer workstations and CI/CD systems. This activity mirrors previous Lazarus-linked campaigns exploiting npm for credential theft.