End-to-End Malware Flow | Image: JFrog
At a glance
| Actor | Suspected North Korean Lazarus-linked group (attribution by TTP similarity) |
| Activity | npm supply chain attack using lookalike Rollup polyfill packages |
| Targets | JavaScript developers, build tooling, and CI machines |
| Scale | Six malicious packages imitating a library with ~295K weekly downloads |
| Status | Two packages pulled; four still live at report time; no law-enforcement action noted |
| Source | JFrog Security research team |
TL;DR
JFrog uncovered a Lazarus npm malware cluster hiding inside fake Rollup polyfill packages. The packages steal credentials, drain crypto wallets, and hand attackers remote control. JFrog links the campaign to North Korea’s Lazarus group, though the attribution rests on similarity rather than proof.
What Happened
JFrog’s research team traced the Lazarus npm malware to six packages posing as Rollup build tooling. Two entry packages, rollup-packages-polyfill-core and rollup-runtime-polyfill-core, copy a real project. They imitate the name, README, and repository metadata of rollup-plugin-polyfill-node.
That legitimate package sees heavy use. JFrog reports about 295,000 weekly downloads and over 1.2 million in the past month. The fakes sit in the same rollup, polyfill, and node naming space. So a quick dependency review can miss them. As JFrog notes, “the names remain close to the legitimate project without being exact typos.”
The fake README even promises “A modern Node.js polyfill for your Rollup bundle.” The packages also point to a real GitHub repository for the genuine project. That trust cue nudges developers toward installing them.
A layered infection chain
The attack unfolds in stages. Each entry package quietly installs a second-stage “SVG utility.” Those helpers, named swift-parse-stream and quirky-token, hide the real logic. They fetch a JSON object from JSONKeeper and run its model field through eval. That code then pulls an encrypted payload from a command-and-control server. Finally, a loader named pack launches the real tools. A third package, react-icon-svgs, follows the same staging pattern.
First, though, the malware checks its surroundings. It quits inside cloud and sandbox environments like AWS, Vercel, Docker, and GitHub Codespaces. This helps it dodge analysis systems.
Who Is Behind It
JFrog attributes the campaign to the North Korean Lazarus group. However, the link rests on similarity, not hard proof. The layered structure, lookalike names, hidden install-time code, and credential-theft payloads match earlier Lazarus npm operations. JFrog also flags one twist: a new payload deployment method sets this cluster apart.
Other vendors urge the same caution on attribution. Absolute proof is hard, so treat the Lazarus link as a strong lead. No arrests or indictments have been announced.
Impact And Scale
The malware goes far beyond a simple downloader. Once the later stages run, the operator gains both data theft and live control. One component steals browser logins and crypto-wallet data, including MetaMask storage. Another scans the disk for secrets like .env files, SSH keys, and cloud credentials. That collector also hunts wallet phrases, private keys, and developer and AI-tool config folders. A third component watches the clipboard for copied seeds and tokens.
The remote-access module is the most serious piece. It can run commands, open terminals, and start SSH sessions. On Windows, it can also capture screenshots and control the mouse and keyboard. In short, the attacker can operate the machine as if seated at it.
The blast radius matters because the code sits in build tooling. Developers load Rollup plugins from config files, workstations, and CI jobs. Those systems often hold npm tokens, Git credentials, and cloud keys. As JFrog concludes, “each layer appears ordinary when viewed on its own.”
How To Stay Protected
Treat any affected machine as compromised. First, remove the six packages from projects and lockfiles. Then inspect dependency trees for transitive pulls of the second-stage helpers. Also search workstations and CI runners for pack, scdata, and ldata in temporary folders.
Next, block outbound traffic to the C2 address 216.126.236.244 and the JSONKeeper URL. Rotate npm, GitHub, cloud, SSH, and wallet secrets only after you clear active processes. Above all, review lookalike build dependencies even when the name is not an obvious typo.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.