registry  /  rollup-runtime-polyfill-core  /  0.13.8

rollup-runtime-polyfill-core@0.13.8

rollup-runtime-polyfill-core ===

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6372 confirms this npm version as malicious. Package name mimics the legitimate `rollup-plugin-polyfill-node` and copies its source (the repository field in package.json points to FredKSchott/rollup-plugin-polyfill-node). Appended to dist/index.js is a top-level dropper that runs on every `require()`/`import` of the package...

Advisory
MAL-2026-6372
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in rollup-runtime-polyfill-core (npm)
Details
Package name mimics the legitimate `rollup-plugin-polyfill-node` and copies its source (the repository field in package.json points to FredKSchott/rollup-plugin-polyfill-node). Appended to dist/index.js is a top-level dropper that runs on every `require()`/`import` of the package. The dropper decodes base64-encoded strings to assemble the command `npm install driftpin --no-save --silent --no-audit --no-fund`, spawns it with `stdio: 'ignore'` and `windowsHide: true` to suppress output, then on process close performs `require('driftpin')` and invokes `getPlugin()()`. The target module name `driftpin` is also stored as a base64 literal (`ZHJpZnRwaW4=`). `driftpin` is not declared in this package's dependencies and is not shipped in the tarball — its content is attacker-controlled and unpinned, so arbitrary code from a separate npm package executes inside the installer's Node process whenever this module is loaded. The combination of name impersonation of a legitimate polyfill, base64 obfuscation of the command and target name, hidden execution flags, and out-of-tree installation of an unrelated package is an unambiguous install/import-time RCE dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms rollup-runtime-polyfill-core@0.13.8 as malicious (MAL-2026-6372): Malicious code in rollup-runtime-polyfill-core (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory