npm

rollup-runtime-polyfill-core @0.14.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC

Malicious

OSV ID

MAL-2026-6372

Ecosystem

npm

Summary

Package name mimics the legitimate rollup-plugin-polyfill-node and copies its source (the repository field in package.json points to FredKSchott/rollup-plugin-polyfill-node). Appended to dist/index.js is a top-level dropper that runs on every require() / import of the package. The dropper decodes base64-encoded strings to assemble the command npm install driftpin --no-save --silent --no-audit --no-fund , spawns it with stdio: 'ignore' and windowsHide: true to suppress output, then on process close performs require('driftpin') and invokes getPlugin()() . The target module name driftpin is also stored as a base64 literal ( ZHJpZnRwaW4= ). driftpin is not declared in this package's dependencies and is not shipped in the tarball — its content is attacker-controlled and unpinned, so arbitrary code from a separate npm package executes inside the installer's Node process whenever this module is loaded. The combination of name impersonation of a legitimate polyfill, base64 obfuscation of the command and target name, hidden execution flags, and out-of-tree installation of an unrelated package is an unambiguous install/import-time RCE dropper.

Source: amazon-inspector (90dc8536f81ef2ffbd391877bbe1eefbefc900081ef6eaa9848548177c233167)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.