Threat actors tied to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling. Researchers at JFrog identified the packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core," which closely mimic the legitimate "rollup-plugin-polyfill-node" project.

The malicious packages replicate the description, repository metadata, and structure of the authentic tooling down to fine detail. This type of typosquatting or dependency confusion attack is designed to trick developers into inadvertently pulling poisoned code into their build pipelines.

Once installed, the packages facilitate remote access and data theft, targeting sensitive developer secrets and credentials. The attack vector leverages the trust developers place in widely-used build tools and the npm ecosystem's reliance on package name uniqueness.

The discovery highlights ongoing supply chain risks within the JavaScript ecosystem. JFrog's analysis points to infrastructure overlaps with previously documented North Korean threat activity, though independent confirmation of attribution remains limited.

There is no evidence of these packages being removed from npm at the time of reporting. Developers are advised to verify package integrity and audit dependencies against unexpected additions.