npm

rollup-packages-polyfill-core @0.13.8

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC

Malicious

OSV ID

MAL-2026-10160

Ecosystem

npm

Summary

Package name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close require()s the freshly-installed svgson-lite package and invokes svgo.getPlugin()(). This fetches and executes attacker-controlled code from a second npm package inside the consumer's process every time the library is imported. The install command and target module name are stored as base64 to hide them from static scanners; a legitimate rollup polyfill plugin has no need to conceal npm install calls.

Source: amazon-inspector (69da81410d062733108728b42feb333d2f561f811a9c671664150cd026b12221)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.