OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10160 confirms this npm version as malicious. Package name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/index.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/polyfills.jsView on unpkg · L2Package source references a known benign dynamic code generation pattern.
dist/polyfills.jsView on unpkg · L2