VYPR

npm · Malicious package advisory

Malware

rollup-runtime-polyfill-core

MAL-2026-6372

Malicious code in rollup-runtime-polyfill-core (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (90dc8536f81ef2ffbd391877bbe1eefbefc900081ef6eaa9848548177c233167)
Package name mimics the legitimate `rollup-plugin-polyfill-node` and copies its source (the repository field in package.json points to FredKSchott/rollup-plugin-polyfill-node). Appended to dist/index.js is a top-level dropper that runs on every `require()`/`import` of the package. The dropper decodes base64-encoded strings to assemble the command `npm install driftpin --no-save --silent --no-audit --no-fund`, spawns it with `stdio: 'ignore'` and `windowsHide: true` to suppress output, then on process close performs `require('driftpin')` and invokes `getPlugin()()`. The target module name `driftpin` is also stored as a base64 literal (`ZHJpZnRwaW4=`). `driftpin` is not declared in this package's dependencies and is not shipped in the tarball — its content is attacker-controlled and unpinned, so arbitrary code from a separate npm package executes inside the installer's Node process whenever this module is loaded. The combination of name impersonation of a legitimate polyfill, base64 obfuscation of the command and target name, hidden execution flags, and out-of-tree installation of an unrelated package is an unambiguous install/import-time RCE dropper.

Compromised versions (4)

  • 0.13.7
  • 0.13.9
  • 0.14.0
  • 0.13.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.