registry  /  rollup-packages-polyfill-core  /  0.13.7

rollup-packages-polyfill-core@0.13.7

rollup-plugin-polyfill-node ===

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10160 confirms this npm version as malicious. Package name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close...

Advisory
MAL-2026-10160
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in rollup-packages-polyfill-core (npm)
Details
Package name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close require()s the freshly-installed svgson-lite package and invokes svgo.getPlugin()(). This fetches and executes attacker-controlled code from a second npm package inside the consumer's process every time the library is imported. The install command and target module name are stored as base64 to hide them from static scanners; a legitimate rollup polyfill plugin has no need to conceal npm install calls.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 1.00 MB of source, external domains: bevry.me, bit.ly, blog.axqd.net, blog.izs.me, bugzilla.mozilla.org, code.google.com, codereview.chromium.org, developer.mozilla.org, dominictarr.com, dustindiaz.com, en.wikipedia.org, example.com, feross.org, foo.com, github.com, goo.gl, jensarps.de, jryans.mit-license.org, juliangruber.com, macinn.es, mathiasbynens.be, msdn.microsoft.com, mths.be, n8.io, narwhaljs.org, nodejs.org, onirame.com, paul.vorba.ch, spdx.org, stackoverflow.com, stagas.com, substack.net, tools.ietf.org, twitter.com, wiki.commonjs.org, www.blakeminer.com, www.example.com, www.w3.org, www.whatwg.org, yabfog.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
83L84: const { spawn } = require('child_process'); L85:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L83
2L3: const inject = require('@rollup/plugin-inject'); L4: const modules = require('./modules.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2
dist/polyfills.jsView file
2L3: const POLYFILLS = { "__http-lib/capability.js": "export var hasFetch = isFunction(global.fetch) && isFunction(global.ReadableStream)\n\nvar _blobConstructor;\nexport function blobC... L4:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/polyfills.jsView on unpkg · L2
2L3: const POLYFILLS = { "__http-lib/capability.js": "export var hasFetch = isFunction(global.fetch) && isFunction(global.ReadableStream)\n\nvar _blobConstructor;\nexport function blobC... L4:
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/polyfills.jsView on unpkg · L2

Findings

2 High5 Medium5 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/polyfills.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/polyfills.js
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings