npm

rollup-plugin-polyfill-handler @1.0.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6826

Ecosystem

npm

Summary

Package name mimics the rollup-plugin-* ecosystem but exposes no Rollup plugin API. Its exported functions getPlugin, setPlugin, and getPluginExten each issue an HTTP GET to https://rest-icon-handler.store/icons/<token> and pass the response body through JSON.parse followed by eval, executing whatever the remote server returns inside the caller's Node.js process. The destination URL is assembled from split string fragments (protocol/separator/subdomain/domain/path plus numeric token variables) rather than a literal, a lightweight obfuscation to defeat URL scanners. getPlugin also chains into getPluginExten, causing a single call to trigger multiple remote-code fetches. Any consumer that imports this package and invokes an exported function grants the operator of rest-icon-handler.store full remote code execution on the installer's machine. Name and description present the package as a Rollup polyfill helper to lure developers into installing and invoking it.

Source: amazon-inspector (8fcd05581537eece4993579cb664215a82b87dad2bdb03cae7ba998ba092a79d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.