Find notable cyber news and cases, enriched with sources, timelines, and signals.

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Malicious npm packages disguised as Rollup polyfill tooling are now delivering remote-access and data-theft payloads to developer workstations and build machines. The staged malware can steal browser data, cryptocurrency wallets, files, and clipboard content while also enabling interactive control. The package set uses lookalike names and hidden install-time execution to slip past dependency review and security scanning. That combination turns routine package installation into a high-risk supply-chain compromise path.

Related Happenings

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Timeline

  1. 03.07.2026 19:07 2 articles · 6d ago

    North Korea-linked npm packages impersonate rollup-plugin-polyfill-node

    Initial Disclosure

    North Korea-linked threat actors used lookalike npm packages, including rollup-packages-polyfill-core and rollup-runtime-polyfill-core, to impersonate rollup-plugin-polyfill-node and stage malware that performs environment checks, pulls an encrypted payload from 216.126.236[.]244, and enables remote access and data theft on developer workstations and build machines. The package chain also uses swift-parse-stream, quirky-token, react-icon-svgs, and rollup-plugin-polyfill-connect as staged loaders, with JSONKeeper used to fetch and execute JavaScript malware.

    Show sources