JFROG'S research has revealed a supply chain attack attributed to the Lazarus group from North Korea, involving malicious npm packages that mimic legitimate Rollup polyfill packages. These six fake packages, designed to steal credentials and crypto wallet information, collectively garnered around 295,000 weekly downloads. Two of the packages have been removed, but four remain live.
The malware operates in multiple stages to evade detection, checking for cloud and sandbox environments before installing secondary components that fetch payloads from command and control servers. The attack enables substantial access and control over infected machines. To mitigate risks, affected users are advised to remove these packages, inspect dependency trees, and block specific network traffic. The incident underscores ongoing security challenges in the software supply chain.