Lazarus-Linked npm Malware Masquerades as Rollup Polyfills

2026-06-30 Jfrog

https://research.jfrog.com/post/rollup-polyfill-masquerading/

Thumbnail for Lazarus-Linked npm Malware Masquerades as Rollup Polyfills

JFrog identified a Lazarus-linked npm supply-chain campaign that hid malicious code in Rollup-themed lookalike packages and SVG utility second stages. The packages fetched a JSONKeeper payload, decrypted a remote stage from 216.126.236.244, and launched Node.js components for remote access, browser and crypto-wallet data theft, broad file collection, and clipboard monitoring. The targeting of developer workstations and CI/build environments created risk to npm, GitHub, cloud, SSH, package-registry, browser-stored, and wallet credentials.

Indicators of Compromise

Type Value First Seen Last Seen
URL http://216.126.236.244/api/serv… 2026-06-30 2026-06-30
URL http://216.126.236.244:4806/upl… 2026-06-30 2026-06-30
URL http://216.126.236.244:4809/cld… 2026-06-30 2026-06-30
URL http://216.126.236.244:4809/upl… 2026-06-30 2026-06-30
URL http://216.126.236.244/api/serv… 2026-06-30 2026-06-30
URL https://www.jsonkeeper.com/b/3P… 2026-06-30 2026-06-30
IPv4 216.126.236.244 2026-06-30 2026-06-30

Related Actors

Related Reports

« Back