Feed
CriticalPublished 3 Jul 20266 packages · 37 versions

JFrog: Lazarus / OtterCookie `rollup-*-polyfill-core` npm campaign — 6 packages steal AI-coder credentials, browser data and crypto wallets

Summary

JFrog Security Research disclosed a 6-package DPRK / Contagious Interview npm campaign that mimics the legitimate rollup-plugin-polyfill-node project down to its metadata. First-stage packages carry a base64-encoded npm install that fetches an SVG-utility-shaped second stage; the second stage evaluates a payload pulled from JSONKeeper and steals credentials for AWS, Azure, Google Gemini, Anthropic Claude, Windsurf, Cursor, VS Code, SSH and Zsh, plus browser data and crypto wallets. Two of the first-stage packages are STILL live on npm as of 2026-07-04.

credential-theftcrypto-wallet-draininfostealerobfuscationtyposquat
Threat actor
Lazarus / DPRK Contagious Interview (OtterCookie lineage)
Detected by
JFrog Security Research
Also known as
JFrog Rollup polyfill campaign · Contagious Interview July 2026
Ecosystems
npm
Packages tracked
6

What happened

JFrog Security Research (Yair Benamou) disclosed a 6-package npm campaign attributed to Lazarus / DPRK's "Contagious Interview" operator, amplified widely by The Hacker News, TheNextWeb and other outlets on 2026-07-03. The campaign impersonates the popular rollup-plugin-polyfill-node package down to its description, repository metadata, and package shape, then uses a two-stage install chain to plant an OtterCookie-family RAT on developer workstations.

Two-stage install chain

The first-stage packages carry a base64-encoded npm install command as postinstall / preinstall behaviour, hidden inside otherwise plausible-looking Rollup polyfill code:

  • rollup-packages-polyfill-core (12 versions, 0.0.00.13.8, published 2026-05-18 → 2026-07-01) — drops swift-parse-stream
  • rollup-runtime-polyfill-core (13 versions, 0.0.10.14.0, published 2026-05-19 → 2026-07-01) — drops quirky-token
  • react-icon-svgs (4 versions, 1.0.02.15.3, published 2026-05-07 → 2026-05-08) — drops rollup-plugin-polyfill-connect

The second-stage packages are near-identical stubs disguised as SVG-sanitisation utilities:

  • swift-parse-stream (2 visible versions, 2026-06-08 → 2026-06-17)
  • quirky-token (3 visible versions, 2026-06-08 → 2026-06-17)
  • rollup-plugin-polyfill-connect (3 visible versions, 2026-04-23 → 2026-04-29)

Each second-stage package fetches a JSON blob from JSONKeeper (a public paste-style hosting service) and evals the model field to execute the actual stage-3 payload — a live evaluation of remote JavaScript that gives the operator arbitrary control without pushing an update to npm.

Stage-3 payload behaviour

Before executing, the payload runs sandbox / cloud-development-environment / serverless / analysis-environment checks to avoid detonation on researcher machines. On real developer hosts it:

  • Harvests AI-coder credentials and history: editor state for VS Code, Windsurf and Cursor; API keys and configuration for Anthropic Claude, Google Gemini and Foundry — the operator explicitly targets the LLM-tooling attack surface, not just cloud consoles
  • Steals cloud credentials: AWS access keys, Azure credentials, GCP tokens
  • Grabs shell state: SSH private keys, .zshrc and Zsh history
  • Web3 targets: browser-extension wallets and desktop wallet files, matching the OtterCookie / BeaverTail Web3-first pattern documented by Panther in April 2026
  • Periodic clipboard capture: on a polling timer, every clipboard state is exfiltrated — this catches .env values, one-time codes, seed phrases and any secret pasted while the RAT is running
  • Interactive Windows RAT: a forked keyboard-and-mouse control library gives the operator remote terminal, screenshotting and simulated user input — the OtterCookie hallmark on Windows targets

Registry state at time of disclosure

As of the WebFetch / registry check at 2026-07-04 06:00 UTC:

  • rollup-packages-polyfill-corestill live, dist-tag latest = 0.13.8, published 2026-07-01
  • rollup-runtime-polyfill-corestill live, dist-tag latest = 0.14.0, published 2026-07-01
  • react-icon-svgs → replaced with 0.0.1-security on 2026-06-26
  • swift-parse-stream → replaced with 0.0.1-security on 2026-06-29
  • quirky-token → replaced with 0.0.1-security on 2026-06-29
  • rollup-plugin-polyfill-connect → replaced with 0.0.1-security on 2026-06-26

npm Security took down the second-stage packages in late June, but the two most-recent first-stage packages are still resolvable at time of disclosure — every automated resolver in the ecosystem is still one typo away from pulling working malware. Block them at the proxy immediately.

Attribution

JFrog attributes to Lazarus / DPRK Contagious Interview based on TTP overlap with the OtterCookie family — specifically the forked keyboard-and-mouse control library that has been an OtterCookie IOC since 2025. This ties directly to the April 2026 Panther-tracked 108-package BeaverTail / OtterCookie wave and the February 2026 stegabin / Contagious Interview cluster already in the catalogue. This is not a copycat — same operator, updated tradecraft: the JSONKeeper eval staging and the AI-coder credential targeting (Claude, Gemini, Windsurf, Cursor) are new for 2026 Q3.

Affected packages (6)

  • npmquirky-token
    1.0.01.0.11.0.2
  • npmreact-icon-svgs
    1.0.01.0.11.0.22.15.3
  • npmrollup-packages-polyfill-core
    0.0.00.5.00.12.30.13.00.13.10.13.20.13.30.13.40.13.50.13.60.13.70.13.8
  • npmrollup-plugin-polyfill-connect
    1.0.11.0.21.0.3
  • npmrollup-runtime-polyfill-core
    0.0.10.12.50.13.00.13.10.13.20.13.30.13.40.13.50.13.60.13.70.13.80.13.90.14.0
  • npmswift-parse-stream
    1.0.01.0.2

Impact

  • Two first-stage packages are STILL LIVE on npm as of 2026-07-04: rollup-packages-polyfill-core@0.13.8 (latest, 2026-07-01) and rollup-runtime-polyfill-core@0.14.0 (latest, 2026-07-01). Any resolver that hits these names between 2026-05-18 (first push) and now will pull a working malware chain — treat this as a live incident, not a historical yank
  • The malware specifically targets AI-coder tooling that has legitimate credentials for high-value LLM APIs — Anthropic Claude, Google Gemini and Foundry keys, along with Windsurf / Cursor / VS Code editor history and configuration. A single infected developer laptop yields Claude API keys, GitHub tokens, cloud credentials and the last N days of AI-assisted code the developer was working on
  • Clipboard is captured on a periodic timer — for developers whose workflow includes pasting .env values, seed phrases, or one-time codes, every such paste in the polling window is exfiltrated
  • Cryptocurrency wallets and browser data are also stolen — the payload keeps the Contagious Interview / OtterCookie modus operandi of prioritising fintech and Web3 targets alongside developer credential theft
  • The forked keyboard-and-mouse control library gives the operator interactive remote terminal, screenshotting, and simulated user input on compromised Windows workstations — this is not just a credential-scraper drop, it is a live RAT once the second stage runs
  • Total install-time exposure window per first-stage package: 45–47 days at time of disclosure. Anyone whose CI or dev machine resolved rollup-packages-polyfill-core or rollup-runtime-polyfill-core in June 2026 should assume compromise and rotate every credential the machine could reach

What to do

  1. 1IMMEDIATELY block rollup-packages-polyfill-core and rollup-runtime-polyfill-core at your registry proxy — these are STILL LIVE on the public npm registry as of 2026-07-04 despite the public disclosure. Add explicit deny rules to Artifactory / Nexus / Verdaccio / Socket policy
  2. 2Remove every reference to any of the 6 packages listed below from package.json, lockfiles, CI image layers, and committed node_modules. The legitimate slug is rollup-plugin-polyfill-node (from GitHub FredKSchott/rollup-plugin-polyfill-node) — anything with -packages-, -runtime-, or -connect in the polyfill name is not a legitimate Rollup ecosystem package
  3. 3Any host that installed a first-stage package (rollup-packages-polyfill-core, rollup-runtime-polyfill-core, react-icon-svgs) should be treated as fully compromised: rotate AWS, Azure, Google Gemini, Anthropic Claude, Foundry, GitHub, SSH and Zsh credentials from a separate clean device
  4. 4Rotate every AI-coder token stored on the machine — Anthropic API keys, Google Gemini keys, GitHub Copilot / Cursor / Windsurf / VS Code tokens, and Foundry keys. Editor history for Windsurf, Cursor and VS Code is exfiltrated, so treat any code or prompt written in those editors during the exposure window as leaked
  5. 5Rotate crypto wallet keys and inspect any wallet accessible from the machine — the payload targets extension wallets and desktop wallet files
  6. 6Hunt for outbound HTTP to JSONKeeper (jsonkeeper.com) from developer workstations and CI runners during the exposure window; the payload fetches its stage-3 script from a JSONKeeper model field
  7. 7Windows-only IOC: presence of a forked keyboard-and-mouse control library on disk, periodic clipboard capture, and screenshotting activity are the OtterCookie hallmarks — treat any match as an active RAT and re-image the host

References

npm-2026-07-03-jfrog-lazarus-rollup-polyfill-ottercookie