Lazarus npm Backdoors Target Developer AWS Keys and AI API Credentials
Six npm packages published in early July were removed this week after JFrog researchers linked them to Lazarus Group, North Korea's most prolific state-sponsored hacking team. The packages mimicked rollup-plugin-polyfill-node—a legitimate bundler utility used across countless JavaScript projects—right down to the metadata and package description. Buried inside was a multi-stage dropper built around OtterCookie, a known Lazarus malware family with remote terminal access, screenshot capture, and aggressive credential harvesting. The specific list of things it went after should give any business with a development team serious pause.
What the Packages Actually Did
The initial packages installed cleanly, then pulled in hidden secondary dependencies disguised as SVG utilities. Those utilities reached out to a remote server, retrieved JSON objects containing executable payloads, and assembled the OtterCookie implant in memory—a layered approach designed to stay under automated registry scanners. Once running, it hunted for credentials and configuration files across a precise target list:
- Cloud platform credentials: AWS, Microsoft Azure, and Google Gemini configs
- AI service API keys: Anthropic Claude and Google Foundry
- Developer tool histories from VS Code, Windsurf, and Cursor
- SSH private keys, browser session data, and clipboard contents
- Cryptocurrency wallet data
All six packages were pulled from the npm registry after JFrog's report, but not before an unknown number of developers had already run npm install.
A Pattern, Not a One-Off
The rollup polyfill packages are the latest chapter in a sustained 2026 campaign. In April, researchers documented 108 malicious npm packages spanning 261 versions—all tied to the same North Korean operation, Contagious Interview. That wave also introduced TaskJacker, a technique that injected malicious VS Code task files directly into GitHub repositories, compromising nearly 2,000 public repos and over a thousand developer accounts.
A month earlier, on March 31, 2026, a separate North Korean group tracked by Google as UNC1069 compromised Axios itself. Axios handles HTTP requests in JavaScript and clocks roughly 100 million weekly downloads with more than 174,000 dependent packages. The attackers got into a maintainer account, published two trojanized versions (1.14.1 and 0.30.4), and injected a fake dependency named plain-crypto-js that silently installed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. Within three hours of publication, at least 135 developer endpoints had already contacted the attacker's command-and-control server.
The broader ecosystem numbers are striking. Sonatype's 2026 State of the Software Supply Chain report counted more than 454,600 new malicious open-source packages in 2025 alone, pushing the cumulative blocked total past 1.233 million—a 75% jump year over year.
Why AI and Cloud Credentials Are the New Target
The focus on AI service credentials alongside cloud keys reflects where the value has moved. An AWS key with broad permissions can drain tens of thousands of dollars in compute within hours. A Claude or OpenAI API key enables large-scale abuse billed to the victim's account. A compromised Cursor or VS Code session history hands an attacker a window into proprietary source code, database strings, and internal tooling. Developer workstations are high-value, low-friction targets: developers install packages constantly and often run with more local access than is strictly necessary.
Contagious Interview layers social engineering on top. Attackers pose as recruiters on LinkedIn and GitHub, send fake job offers, and deliver coding assessments that require cloning an unfamiliar repository. By the time the developer runs the test suite, the implant is already phoning home. An earlier wave of this campaign put 338 malicious packages in front of developers, downloaded more than 50,000 times—not because developers were careless, but because the packaging was professional and the delivery step was a plausible workflow.
What Businesses and Developers Should Do
- Lock your lockfiles. Commit
package-lock.jsonoryarn.lockand usenpm ciin CI/CD rather thannpm install. This pins the exact dependency tree and prevents silent resolution of newer, potentially poisoned versions. - Disable lifecycle scripts when evaluating unfamiliar packages. Run
npm install --ignore-scriptsor setignore-scripts=truein.npmrc. The dropper in both the Axios and rollup attacks relied onpostinstallscripts executing automatically. - Treat dependency additions as code changes. Tools like Socket.dev, Snyk, or
npm auditcan flag suspicious packages before they land. Any PR adding a new dependency deserves the same scrutiny as logic changes. - If you ran Axios 1.14.1 or 0.30.4, rotate credentials now. Any machine that installed these versions on March 31–April 1, 2026 should be treated as compromised: rotate AWS keys, revoke API tokens, and audit cloud access logs.
- Brief developers on the fake recruiter vector. A coding exercise from an unknown LinkedIn contact that requires running an unfamiliar repo warrants scrutiny. At minimum, do it in an isolated, sandboxed environment.
- Isolate dev environments. Container-based setups (Devcontainers, GitHub Codespaces, Nix shells) limit blast radius dramatically—a credential-stealing package running inside an ephemeral container with no mounted cloud credentials does a fraction of the damage.
At Falcon Internet, lockfile integrity checks and dependency-tree diffing are standard parts of the build pipeline for client projects—not because a supply chain attack seemed likely, but because the trend data made it obvious it was coming for someone. The question is whether you catch it in CI or during an incident review.