The Hacker NewsSaturday · July 4, 2026FREE

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

npmsupply-chainmalwarenorth-korearollup

Security researchers have identified several malicious npm packages associated with North Korean threat actors that impersonate Rollup polyfills. The packages, which include names like "rollup-polyfill" and "@rollup/polyfill", are designed to steal sensitive information from developers' machines. Upon installation, the packages execute post-install scripts that harvest environment variables, SSH keys, and other credentials, then send the stolen data to command-and-control servers. The campaign targets developers who use the Rollup module bundler, a popular tool in JavaScript development. The malicious packages were published on the npm registry and have been downloaded hundreds of times before being reported. This incident highlights ongoing supply chain attacks aimed at the open-source ecosystem, particularly those targeting developer tools to gain access to broader networks and sensitive projects.

// why it matters

Developers using npm packages should verify package authenticity to avoid credential theft from supply chain attacks.

Sources

Primary · The Hacker News
▸ Read original at thehackernews.com

Like this? Get the next digest.