Lazarus-Linked npm Malware Masquerades as Rollup Polyfills
2026-06-30 • Jfrog •
https://research.jfrog.com/post/rollup-polyfill-masquerading/
JFrog identified a Lazarus-linked npm supply-chain campaign that hid malicious code in Rollup-themed lookalike packages and SVG utility second stages. The packages fetched a JSONKeeper payload, decrypted a remote stage from 216.126.236.244, and launched Node.js components for remote access, browser and crypto-wallet data theft, broad file collection, and clipboard monitoring. The targeting of developer workstations and CI/build environments created risk to npm, GitHub, cloud, SSH, package-registry, browser-stored, and wallet credentials.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | http://216.126.236.244/api/serv… | 2026-06-30 | 2026-06-30 |
| URL | http://216.126.236.244:4806/upl… | 2026-06-30 | 2026-06-30 |
| URL | http://216.126.236.244:4809/cld… | 2026-06-30 | 2026-06-30 |
| URL | http://216.126.236.244:4809/upl… | 2026-06-30 | 2026-06-30 |
| URL | http://216.126.236.244/api/serv… | 2026-06-30 | 2026-06-30 |
| URL | https://www.jsonkeeper.com/b/3P… | 2026-06-30 | 2026-06-30 |
| IPv4 | 216.126.236.244 | 2026-06-30 | 2026-06-30 |
Related Actors
Related Reports
Shares tags: SupplyChain, NPM, Lazarus • Published within a month
Shares tags: SupplyChain, NPM, Lazarus • Published within a month
2026-05-29 •
70% Match
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
SOCRadar
Shares tags: SupplyChain, NPM, Lazarus
Shares tags: NPM, Lazarus • Published within a month
Shares tags: SupplyChain, Lazarus • Published within a month
Shares tags: NPM, Lazarus • Published within a month