JFrog: Lazarus / OtterCookie `rollup-*-polyfill-core` npm campaign — 6 packages steal AI-coder credentials, browser data and crypto wallets
JFrog Security Research disclosed a 6-package DPRK / Contagious Interview npm campaign that mimics the legitimate rollup-plugin-polyfill-node project down to its metadata. First-stage packages carry a base64-encoded npm install that fetches an SVG-utility-shaped second stage; the second stage evaluates a payload pulled from JSONKeeper and steals credentials for AWS, Azure, Google Gemini, Anthropic Claude, Windsurf, Cursor, VS Code, SSH and Zsh, plus browser data and crypto wallets. Two of the first-stage packages are STILL live on npm as of 2026-07-04.
- Threat actor
- Lazarus / DPRK Contagious Interview (OtterCookie lineage)
- Detected by
- JFrog Security Research
- Also known as
- JFrog Rollup polyfill campaign · Contagious Interview July 2026
- Ecosystems
- npm
- Packages tracked
- 6
What happened
JFrog Security Research (Yair Benamou) disclosed a 6-package npm campaign attributed to Lazarus / DPRK's "Contagious Interview" operator, amplified widely by The Hacker News, TheNextWeb and other outlets on 2026-07-03. The campaign impersonates the popular rollup-plugin-polyfill-node package down to its description, repository metadata, and package shape, then uses a two-stage install chain to plant an OtterCookie-family RAT on developer workstations.
Two-stage install chain
The first-stage packages carry a base64-encoded npm install command as postinstall / preinstall behaviour, hidden inside otherwise plausible-looking Rollup polyfill code:
rollup-packages-polyfill-core(12 versions,0.0.0→0.13.8, published 2026-05-18 → 2026-07-01) — dropsswift-parse-streamrollup-runtime-polyfill-core(13 versions,0.0.1→0.14.0, published 2026-05-19 → 2026-07-01) — dropsquirky-tokenreact-icon-svgs(4 versions,1.0.0→2.15.3, published 2026-05-07 → 2026-05-08) — dropsrollup-plugin-polyfill-connect
The second-stage packages are near-identical stubs disguised as SVG-sanitisation utilities:
swift-parse-stream(2 visible versions, 2026-06-08 → 2026-06-17)quirky-token(3 visible versions, 2026-06-08 → 2026-06-17)rollup-plugin-polyfill-connect(3 visible versions, 2026-04-23 → 2026-04-29)
Each second-stage package fetches a JSON blob from JSONKeeper (a public paste-style hosting service) and evals the model field to execute the actual stage-3 payload — a live evaluation of remote JavaScript that gives the operator arbitrary control without pushing an update to npm.
Stage-3 payload behaviour
Before executing, the payload runs sandbox / cloud-development-environment / serverless / analysis-environment checks to avoid detonation on researcher machines. On real developer hosts it:
- Harvests AI-coder credentials and history: editor state for VS Code, Windsurf and Cursor; API keys and configuration for Anthropic Claude, Google Gemini and Foundry — the operator explicitly targets the LLM-tooling attack surface, not just cloud consoles
- Steals cloud credentials: AWS access keys, Azure credentials, GCP tokens
- Grabs shell state: SSH private keys,
.zshrcand Zsh history - Web3 targets: browser-extension wallets and desktop wallet files, matching the OtterCookie / BeaverTail Web3-first pattern documented by Panther in April 2026
- Periodic clipboard capture: on a polling timer, every clipboard state is exfiltrated — this catches
.envvalues, one-time codes, seed phrases and any secret pasted while the RAT is running - Interactive Windows RAT: a forked keyboard-and-mouse control library gives the operator remote terminal, screenshotting and simulated user input — the OtterCookie hallmark on Windows targets
Registry state at time of disclosure
As of the WebFetch / registry check at 2026-07-04 06:00 UTC:
rollup-packages-polyfill-core→ still live, dist-taglatest = 0.13.8, published 2026-07-01rollup-runtime-polyfill-core→ still live, dist-taglatest = 0.14.0, published 2026-07-01react-icon-svgs→ replaced with0.0.1-securityon 2026-06-26swift-parse-stream→ replaced with0.0.1-securityon 2026-06-29quirky-token→ replaced with0.0.1-securityon 2026-06-29rollup-plugin-polyfill-connect→ replaced with0.0.1-securityon 2026-06-26
npm Security took down the second-stage packages in late June, but the two most-recent first-stage packages are still resolvable at time of disclosure — every automated resolver in the ecosystem is still one typo away from pulling working malware. Block them at the proxy immediately.
Attribution
JFrog attributes to Lazarus / DPRK Contagious Interview based on TTP overlap with the OtterCookie family — specifically the forked keyboard-and-mouse control library that has been an OtterCookie IOC since 2025. This ties directly to the April 2026 Panther-tracked 108-package BeaverTail / OtterCookie wave and the February 2026 stegabin / Contagious Interview cluster already in the catalogue. This is not a copycat — same operator, updated tradecraft: the JSONKeeper eval staging and the AI-coder credential targeting (Claude, Gemini, Windsurf, Cursor) are new for 2026 Q3.
Affected packages (6)
- npm
quirky-token1.0.01.0.11.0.2 - npm
react-icon-svgs1.0.01.0.11.0.22.15.3 - npm
rollup-packages-polyfill-core0.0.00.5.00.12.30.13.00.13.10.13.20.13.30.13.40.13.50.13.60.13.70.13.8 - npm
rollup-plugin-polyfill-connect1.0.11.0.21.0.3 - npm
rollup-runtime-polyfill-core0.0.10.12.50.13.00.13.10.13.20.13.30.13.40.13.50.13.60.13.70.13.80.13.90.14.0 - npm
swift-parse-stream1.0.01.0.2
Impact
- Two first-stage packages are STILL LIVE on npm as of 2026-07-04:
rollup-packages-polyfill-core@0.13.8(latest, 2026-07-01) androllup-runtime-polyfill-core@0.14.0(latest, 2026-07-01). Any resolver that hits these names between 2026-05-18 (first push) and now will pull a working malware chain — treat this as a live incident, not a historical yank - The malware specifically targets AI-coder tooling that has legitimate credentials for high-value LLM APIs — Anthropic Claude, Google Gemini and Foundry keys, along with Windsurf / Cursor / VS Code editor history and configuration. A single infected developer laptop yields Claude API keys, GitHub tokens, cloud credentials and the last N days of AI-assisted code the developer was working on
- Clipboard is captured on a periodic timer — for developers whose workflow includes pasting
.envvalues, seed phrases, or one-time codes, every such paste in the polling window is exfiltrated - Cryptocurrency wallets and browser data are also stolen — the payload keeps the Contagious Interview / OtterCookie modus operandi of prioritising fintech and Web3 targets alongside developer credential theft
- The forked keyboard-and-mouse control library gives the operator interactive remote terminal, screenshotting, and simulated user input on compromised Windows workstations — this is not just a credential-scraper drop, it is a live RAT once the second stage runs
- Total install-time exposure window per first-stage package: 45–47 days at time of disclosure. Anyone whose CI or dev machine resolved
rollup-packages-polyfill-coreorrollup-runtime-polyfill-corein June 2026 should assume compromise and rotate every credential the machine could reach
What to do
- 1IMMEDIATELY block
rollup-packages-polyfill-coreandrollup-runtime-polyfill-coreat your registry proxy — these are STILL LIVE on the public npm registry as of 2026-07-04 despite the public disclosure. Add explicit deny rules to Artifactory / Nexus / Verdaccio / Socket policy - 2Remove every reference to any of the 6 packages listed below from
package.json, lockfiles, CI image layers, and committednode_modules. The legitimate slug isrollup-plugin-polyfill-node(from GitHubFredKSchott/rollup-plugin-polyfill-node) — anything with-packages-,-runtime-, or-connectin the polyfill name is not a legitimate Rollup ecosystem package - 3Any host that installed a first-stage package (
rollup-packages-polyfill-core,rollup-runtime-polyfill-core,react-icon-svgs) should be treated as fully compromised: rotate AWS, Azure, Google Gemini, Anthropic Claude, Foundry, GitHub, SSH and Zsh credentials from a separate clean device - 4Rotate every AI-coder token stored on the machine — Anthropic API keys, Google Gemini keys, GitHub Copilot / Cursor / Windsurf / VS Code tokens, and Foundry keys. Editor history for Windsurf, Cursor and VS Code is exfiltrated, so treat any code or prompt written in those editors during the exposure window as leaked
- 5Rotate crypto wallet keys and inspect any wallet accessible from the machine — the payload targets extension wallets and desktop wallet files
- 6Hunt for outbound HTTP to JSONKeeper (
jsonkeeper.com) from developer workstations and CI runners during the exposure window; the payload fetches its stage-3 script from a JSONKeepermodelfield - 7Windows-only IOC: presence of a forked keyboard-and-mouse control library on disk, periodic clipboard capture, and screenshotting activity are the OtterCookie hallmarks — treat any match as an active RAT and re-image the host
References
- The Hacker NewsNorth Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secretsthehackernews.com
- TheNextWebNorth Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secretsthenextweb.com
- KSEC Community ForumNorth Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets — Cyber Threat Intel Feedforum.ksec.co.uk
- BackBox.org NewsNorth Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secretsnews.backbox.org
- CyberTechWorldNorth Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secretsnews.cybertechworld.co.in