-= Per source details. Do not edit below this line.=-
Package name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close require()s the freshly-installed svgson-lite package and invokes svgo.getPlugin()(). This fetches and executes attacker-controlled code from a second npm package inside the consumer's process every time the library is imported. The install command and target module name are stored as base64 to hide them from static scanners; a legitimate rollup polyfill plugin has no need to conceal npm install calls.
{
"malicious-packages-origins": [
{
"sha256": "69da81410d062733108728b42feb333d2f561f811a9c671664150cd026b12221",
"id": "IN-MAL-2026-009674",
"import_time": "2026-07-10T17:10:16.43384206Z",
"versions": [
"0.13.8"
],
"modified_time": "2026-07-10T16:57:07Z",
"source": "amazon-inspector"
},
{
"sha256": "96f2a7710da85018d31f24bd4bfc5d10b25b439bc37b81eca966f761fab0c2e1",
"id": "IN-MAL-2026-009671",
"import_time": "2026-07-10T17:10:16.305545446Z",
"modified_time": "2026-07-10T16:56:40Z",
"versions": [
"0.13.7"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "d436a1392d9a78b6792b39df873ff6dac785557eb8d306adc2089ed3501aab0a",
"tlsh": "f981552614f679551373b2ec5587ec71397b9393338ccb507e2c83709fa20289a72ae5",
"path": "dist/index.js"
}
],
"package_integrity": [
{
"filename": "rollup-packages-polyfill-core-0.13.8.tgz",
"hashes": {
"sha512_sri": "sha512-gU3kBACcGmOHHWWqNUuLzGwItIUW92jOXzyMgyaJDxmK3gIuGYvn7wspEkvybXcJavFpGwgs1ctF3lQ2uwds0w==",
"sha1": "7ce89074c953a6d60b4068615c72fbfc857b623d"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rollup-packages-polyfill-core/MAL-2026-10160.json"