North Korea hides malware in fake Rollup npm packages to steal developer secrets
JFrog found a new set of malicious npm packages, linked to North Korea, that impersonate legitimate Rollup polyfill tooling closely enough to pass a quick dependency review, down to matching names and metadata. Installing them pulls in hidden second-stage packages disguised as SVG utilities, which fetch and run a JavaScript payload while checking that they are not in a sandbox or cloud build. The malware hunts for developer secrets, and notably targets the configuration and history of AI coding tools like Cursor alongside AWS, Azure, SSH, and npm credentials. Because build plugins run on developer machines and in CI, a single poisoned dependency can expose source code, tokens, and cloud keys.
- Check
- Check whether any projects or build pipelines pulled the flagged Rollup-lookalike npm packages, and review developer machines and CI for exposed npm tokens, cloud keys, SSH keys, and AI coding tool configurations.
- Affected
- Developers and CI pipelines that installed the lookalike Rollup polyfill packages; the malware steals npm tokens, cloud and SSH credentials, source code, and secrets from AI coding tool configurations on the machine.
- Fix
- Pin and verify dependencies and scrutinize lookalike package names before installing, keep secrets out of developer and CI environments where possible, rotate any exposed credentials, and monitor for suspicious install-time network activity.