MAL-2026-10160
Malicious code in rollup-packages-polyfill-core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (69da81410d062733108728b42feb333d2f561f811a9c671664150cd026b12221) Package name typosquats the popular rollup-plugin-polyfill-node and copies its README verbatim to bait installs. On require() of the main entry (dist/index.js), the module decodes base64 blobs to reconstruct the strings 'npm install svgson-lite --no-save --silent --no-audit --no-fund' and the module name 'svgson-lite', spawns the install via child_process.spawn (stdio ignored, windowsHide true), and on process close require()s the freshly-installed svgson-lite package and invokes svgo.getPlugin()(). This fetches and executes attacker-controlled code from a second npm package inside the consumer's process every time the library is imported. The install command and target module name are stored as base64 to hide them from static scanners; a legitimate rollup polyfill plugin has no need to conceal npm install calls.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for rollup-packages-polyfill-core (npm). Pin to a known-safe version or switch to an alternative.