Back to advisories

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

North Korea-linked threat actors deployed malicious npm packages mimicking legitimate Rollup polyfills to compromise developer environments. Affected developers who installed 'rollup-packages-polyfill-core' or 'rollup-runtime-polyfill-core' are at immediate risk of credential theft, source code exfiltration, and remote code execution. This supply chain attack targets development secrets and secrets management systems.

CRITICALAdvisoryJul 05, 2026
Action required
Immediately audit npm package.lock files and node_modules for 'rollup-packages-polyfill-core' and 'rollup-runtime-polyfill-core'. Remove these packages, rotate all developer credentials and API tokens, and scan affected machines for data exfiltration and persistence mechanisms.
Affected products
JFrognpm@nut-tree-fork/nut-js