Fake Rollup Helper Packages on npm Traced to North Korean Hackers

Two look-alike JavaScript packages copied a popular developer tool line-for-line, then quietly opened a back door onto the machines of anyone who installed them.

ThreatVectr Newsdesk· 3 min read
Photoreal editorial image, full-frame 16:9, of two nearly identical open cardboard shipping boxes on a dark desk, one subtly marked with a red warning tape, sof
Share

Key points

  • JFrog researchers found two malicious npm packages, "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core", posing as the legitimate rollup-plugin-polyfill-node project.
  • The packages install remote-access code and steal developer secrets from any machine that runs them.
  • JFrog attributes the campaign to hackers linked to North Korea, continuing a long-running push against software developers.
  • Developers who installed either package should assume their credentials, tokens and wallet files are exposed.

Two fake developer tools slipped onto npm — the public library where JavaScript programmers download free code — have been traced to hackers working for North Korea.

Security firm JFrog says the packages, named "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core", were built to impersonate a well-known helper called rollup-plugin-polyfill-node. That real package helps programmers make their code work in different environments. The fakes copied its description, its repository details and its overall look, so a busy developer skimming search results would struggle to spot the difference.

Anyone who typed the wrong name and installed one of the fakes got more than they bargained for.

What did the fake packages actually do?

They opened a back door on the developer's computer and hunted for anything valuable. According to JFrog, the code sets up remote access — a hidden channel the attackers can use to run commands on the victim's machine — and then sweeps the system for secrets. That means saved passwords, cloud login keys, source code and cryptocurrency wallet files.

For a working developer, those secrets are the keys to the kingdom. A stolen cloud key can let an attacker log into a company's servers. A stolen wallet file can drain someone's crypto savings in minutes.

Why target developers at all?

Because developers sit close to the money and close to the code. North Korea-linked crews, tracked over the years under names like Lazarus and its sub-group sometimes called "Contagious Interview", have spent the last two years hammering software engineers with fake job offers, fake coding tests and poisoned open-source packages. The goal is either straight theft of cryptocurrency or a foothold inside a technology company that can be used for a bigger heist later.

The playbook here is called a typosquat, meaning the attackers register a package name that looks almost identical to a real one and wait for someone to make a typing mistake. It is cheap, quiet and it works.

JFrog reported the two packages to npm, which is owned by GitHub, and they have since been removed. The Hacker News first flagged the wider campaign.

What should developers do now?

If you or your team installed either "rollup-packages-polyfill-core" or "rollup-runtime-polyfill-core", treat the machine as compromised. That is not a drill.

A sensible clean-up looks like this:

  • Rotate every credential the machine touched: cloud provider keys, npm tokens, GitHub personal access tokens, SSH keys and any saved browser passwords.
  • Move cryptocurrency out of any wallet whose files sat on that device, using a clean computer.
  • Rebuild the affected machine from a known-good image rather than trying to clean it.
  • Check your package.json and lockfiles across every project for the two malicious names, and audit recent installs for other unfamiliar dependencies.

On the regulator side, there is no single authority here — jurisdiction will follow the victims. In the United States, the FTC and, for any listed company that lost material data, the SEC would take an interest. In the United Kingdom, the ICO would want to hear about any personal data caught in the theft. In Australia, the OAIC's notifiable data breach scheme applies once individuals are affected.

The uncomfortable truth is that the npm ecosystem is enormous, largely trust-based, and North Korean operators have learned to hide in that trust. Reading the package name twice before you hit install is no longer paranoid. It is the job.

© 2026 Threat Vectr