MAL-2026-10160

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rollup-packages-polyfill-core/MAL-2026-10160.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10160
Published
2026-07-10T16:56:40Z
Modified
2026-07-10T17:17:00.964072333Z
Summary
Malicious code in rollup-packages-polyfill-core (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (69da81410d062733108728b42feb333d2f561f811a9c671664150cd026b12221)

Package name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close require()s the freshly-installed svgson-lite package and invokes svgo.getPlugin()(). This fetches and executes attacker-controlled code from a second npm package inside the consumer's process every time the library is imported. The install command and target module name are stored as base64 to hide them from static scanners; a legitimate rollup polyfill plugin has no need to conceal npm install calls.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "69da81410d062733108728b42feb333d2f561f811a9c671664150cd026b12221",
            "id": "IN-MAL-2026-009674",
            "import_time": "2026-07-10T17:10:16.43384206Z",
            "versions": [
                "0.13.8"
            ],
            "modified_time": "2026-07-10T16:57:07Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "96f2a7710da85018d31f24bd4bfc5d10b25b439bc37b81eca966f761fab0c2e1",
            "id": "IN-MAL-2026-009671",
            "import_time": "2026-07-10T17:10:16.305545446Z",
            "modified_time": "2026-07-10T16:56:40Z",
            "versions": [
                "0.13.7"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / rollup-packages-polyfill-core

Package

Name
rollup-packages-polyfill-core
View open source insights on deps.dev
Purl
pkg:npm/rollup-packages-polyfill-core

Affected ranges

Affected versions

0.*
0.13.7
0.13.8

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "d436a1392d9a78b6792b39df873ff6dac785557eb8d306adc2089ed3501aab0a",
            "tlsh": "f981552614f679551373b2ec5587ec71397b9393338ccb507e2c83709fa20289a72ae5",
            "path": "dist/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "rollup-packages-polyfill-core-0.13.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-gU3kBACcGmOHHWWqNUuLzGwItIUW92jOXzyMgyaJDxmK3gIuGYvn7wspEkvybXcJavFpGwgs1ctF3lQ2uwds0w==",
                "sha1": "7ce89074c953a6d60b4068615c72fbfc857b623d"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rollup-packages-polyfill-core/MAL-2026-10160.json"