{"id":"MAL-2026-10160","summary":"Malicious code in rollup-packages-polyfill-core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (69da81410d062733108728b42feb333d2f561f811a9c671664150cd026b12221)\nPackage name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close require()s the freshly-installed svgson-lite package and invokes svgo.getPlugin()(). This fetches and executes attacker-controlled code from a second npm package inside the consumer's process every time the library is imported. The install command and target module name are stored as base64 to hide them from static scanners; a legitimate rollup polyfill plugin has no need to conceal npm install calls.\n","modified":"2026-07-10T17:17:00.964072333Z","published":"2026-07-10T16:56:40Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-10T17:10:16.43384206Z","source":"amazon-inspector","modified_time":"2026-07-10T16:57:07Z","id":"IN-MAL-2026-009674","versions":["0.13.8"],"sha256":"69da81410d062733108728b42feb333d2f561f811a9c671664150cd026b12221"},{"source":"amazon-inspector","import_time":"2026-07-10T17:10:16.305545446Z","modified_time":"2026-07-10T16:56:40Z","sha256":"96f2a7710da85018d31f24bd4bfc5d10b25b439bc37b81eca966f761fab0c2e1","versions":["0.13.7"],"id":"IN-MAL-2026-009671"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/rollup-packages-polyfill-core/v/0.13.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/rollup-packages-polyfill-core/v/0.13.7"}],"affected":[{"package":{"name":"rollup-packages-polyfill-core","ecosystem":"npm","purl":"pkg:npm/rollup-packages-polyfill-core"},"versions":["0.13.8","0.13.7"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rollup-packages-polyfill-core/MAL-2026-10160.json","indicators":{"evidence_files":[{"tlsh":"f981552614f679551373b2ec5587ec71397b9393338ccb507e2c83709fa20289a72ae5","sha256":"d436a1392d9a78b6792b39df873ff6dac785557eb8d306adc2089ed3501aab0a","path":"dist/index.js"}],"package_integrity":[{"hashes":{"sha1":"7ce89074c953a6d60b4068615c72fbfc857b623d","sha512_sri":"sha512-gU3kBACcGmOHHWWqNUuLzGwItIUW92jOXzyMgyaJDxmK3gIuGYvn7wspEkvybXcJavFpGwgs1ctF3lQ2uwds0w=="},"filename":"rollup-packages-polyfill-core-0.13.8.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}