Skip to content
feed: live about
>_ 0dayNews
supply chain
Analysis

DPRK-linked npm packages impersonate a Rollup polyfill to steal developer secrets

JFrog links two new malicious npm packages — impersonating a Rollup polyfill project down to its metadata — to a DPRK cluster after developer secrets and remote access.

Dave "Kilobaud" Ferris · Published · 4 min read

Two more npm packages, another North Korean cluster, another impersonation of a well-known open-source project. The Hacker News reported on July 3 that JFrog’s research team has linked a fresh pair of malicious packages — rollup-packages-polyfill-core and rollup-runtime-polyfill-core — to threat actors tied to North Korea. The two packages pose as tooling from the legitimate rollup-plugin-polyfill-node project, matching its description and repository metadata closely enough to survive a casual glance at an npm search result. Per JFrog, the intent is straightforward: remote access to the developer’s machine and theft of whatever secrets happen to be lying around it.

This is the same story with different names, told again.

What was reported

  • Two malicious packages published to npm — rollup-packages-polyfill-core and rollup-runtime-polyfill-core — masquerading as tooling for the legitimate rollup-plugin-polyfill-node project. Both are described by JFrog as impersonations that copy the legitimate project’s description and repository metadata to look convincing to a developer scanning the registry.
  • Attribution: a threat actor cluster with ties to North Korea, per JFrog. The Hacker News summary does not name a specific DPRK crew; that level of granularity, if it lands, will show up in JFrog’s own writeup.
  • Functional intent: remote access on the developer’s machine and exfiltration of developer credentials. Not a bulk-stealer campaign aimed at end users — a targeted play at the people building software.

The class of attack is not new. DPRK-linked clusters have been mining the npm registry, and PyPI before it, for at least the last few years with variations on the same shape: pick a legitimate project developers are likely to search for, publish a look-alike under a plausible namespace, wait for the tab-completion mistake or the copy-paste from a Stack-Overflow answer. The interesting question isn’t why they keep doing it. It’s why it keeps working.

Why this pattern keeps landing

Public package registries are trust systems built out of human-readable metadata: a name, a description, a linked repository, a maintainer account. For the overwhelming majority of packages that suffices. There are too many packages, too many maintainers, and too many upstream dependencies for anything else to scale. So the ecosystem does the sensible thing and treats the metadata as trust signal.

Which means the ecosystem has been telling attackers, for a decade, that metadata is the surface worth spoofing. Not code. Not signatures. The package name and the description and the linked repo. Impersonate a maintainer namespace convincingly and you inherit the trust that maintainer earned honestly. That’s what JFrog is describing here — down to the description and the repository metadata — and it’s what previous DPRK campaigns against npm and PyPI have described before.

The gatekeepers are the tooling. Which is fine, right up until the tooling is what’s being spoofed.

What developers and CI should actually do

None of this is a new checklist. It is the checklist we already had, repeated because the attackers keep proving it’s still worth repeating.

  • Verify the maintainer namespace before adding a new dependency. Not the package name, not the description — the account that owns it, and the linked repository the account claims. If the repo link points at a fork, a personal user account, or a stub, that is signal.
  • Pin exact versions and review lockfile diffs. A junior dependency update that pulls in an unfamiliar transitive package is exactly what a lockfile diff catches and exactly what a ^ range hides.
  • Scope developer credentials to the developer’s machine. If your npm token, cloud CLI credential, or SSH key would let an install-time script pivot into production, the blast radius from a compromised workstation is a policy question, not a technical one.
  • Treat CI runners as production. They have the same credentials as a developer laptop and more network reach. npm install in CI is a code-execution primitive; treat it accordingly.
  • Check JFrog’s own writeup and the vendor advisory as they land for the fine-grained indicators of compromise. A blog summary is enough to react to; the primary source is what you feed to your SIEM.

Watching for

  • JFrog’s full technical writeup with named DPRK cluster attribution, package hashes, and the specific developer secrets targeted. THN’s summary is a pointer to that research, not a substitute.
  • Follow-on package publishes under adjacent namespaces. When one impersonation pair gets pulled, the same actor usually re-uploads under a slightly different name within days. Set a name-similarity alert against rollup-plugin-polyfill-node if you rely on it.
  • npm registry response. Removals are typically fast once a package is reported; the interesting metric is time-to-detection, not time-to-removal.

The last time an ecosystem got serious about this class of attack was after the PyPI incidents earlier in the decade, and “serious” mostly meant “wrote a blog post about it.” Same mistake, different decade — the wheel keeps turning because turning it is what the wheel does. This week’s turn is JFrog’s find. Next week’s will be somebody else’s.

Sourcing

Found this useful? Share it.