Recent cybersecurity reports have revealed that malicious npm packages linked to North Korea have infiltrated developer environments. These packages, masquerading as legitimate Rollup polyfill tools, are designed to steal sensitive data from compromised systems.
Identifying the Threat
The cybersecurity firm JFrog has identified two npm packages, ‘rollup-packages-polyfill-core’ and ‘rollup-runtime-polyfill-core’, that closely imitate the legitimate ‘rollup-plugin-polyfill-node’. These packages replicate the project’s description, repository metadata, and structure, making them deceptive during dependency reviews.
Four additional packages involved in this campaign have been removed from the npm registry. These include ‘quirky-token’, ‘react-icon-svgs’, ‘rollup-plugin-polyfill-connect’, and ‘swift-parse-stream’. This campaign employs a layered approach where initial packages install secondary ones to execute malicious operations.
Technical Insights and Operations
The secondary-stage packages, disguised as SVG utilities, retrieve encoded JavaScript malware from external sources. This malware performs environmental checks to bypass cloud-based and sandboxed environments before executing its payload. It then installs dependencies and communicates with a remote server to download an encrypted script, which enables unauthorized remote access and data theft.
These operations are reminiscent of previous campaigns by North Korean groups, notably the Lazarus Group. Such campaigns have consistently targeted npm with similar tactics to compromise developer environments.
Wider Implications and Security Measures
This incident is part of a broader trend of software supply chain attacks targeting open-source repositories. Several clusters of trojanized packages have been discovered, each aiming to steal credentials and sensitive data from developers and organizations.
Security experts recommend immediate actions for developers who may have installed these packages. It is crucial to remove the packages, rotate compromised credentials, block malicious networks, and enhance dependency scanning in CI/CD pipelines to detect and prevent such threats.
As these threats evolve, organizations must remain vigilant and adopt robust security practices to protect their software development processes and sensitive data from advanced cyber threats.
