VYPR

npm · Malicious package advisory

Malware

rollup-packages-polyfill-core

MAL-2026-10160

Malicious code in rollup-packages-polyfill-core (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (69da81410d062733108728b42feb333d2f561f811a9c671664150cd026b12221)
Package name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close require()s the freshly-installed svgson-lite package and invokes svgo.getPlugin()(). This fetches and executes attacker-controlled code from a second npm package inside the consumer's process every time the library is imported. The install command and target module name are stored as base64 to hide them from static scanners; a legitimate rollup polyfill plugin has no need to conceal npm install calls.

Compromised versions (2)

  • 0.13.8
  • 0.13.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.