A new supply chain attack targeting JavaScript developers has emerged, with North Korean threat actors distributing malicious npm packages designed to compromise development environments and steal sensitive credentials. The sophisticated attack demonstrates the ongoing evolution of state-sponsored cyber threats targeting the software development ecosystem.

Security researchers at JFrog have identified two malicious npm packages—"rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core"—that cleverly masquerade as legitimate Rollup polyfill tooling. These deceptive packages mirror the authentic "rollup-plugin-polyfill-node" project, including matching descriptions and repository metadata, making them particularly difficult to distinguish from benign software. Once installed, these packages facilitate remote access and data exfiltration, potentially giving attackers persistent access to development environments.

The primary targets of this campaign are JavaScript developers and organizations utilizing Node.js in their development workflows. Given the prevalence of npm packages in modern web development, the potential reach