MAL-2026-10160: Malicious code in rollup-packages-polyfill-core (npm)
The npm package rollup-packages-polyfill-core versions 0.13.7 and 0.13.8 is a malicious typosquatting package that impersonates the legitimate rollup-plugin-polyfill-node. Upon requiring its main entry, it decodes and executes a hidden npm install command to fetch and run attacker-controlled code from another malicious package, svgson-lite. This behavior occurs every time the package is imported, enabling remote code execution within the consumer's process.
AI Analysis
Technical Summary
rollup-packages-polyfill-core is a malicious npm package designed to impersonate the legitimate rollup-plugin-polyfill-node by copying its README and using a similar name. When its main module (dist/index.js) is required, it decodes base64-encoded strings to reconstruct and execute an npm install command for the svgson-lite package using child_process.spawn with hidden stdio and windowsHide options. After installation, it requires svgson-lite and invokes svgo.getPlugin()(), which executes attacker-controlled code inside the importing process. The use of base64 encoding is intended to evade static detection. This package is a supply chain threat that executes arbitrary code during module import.
Potential Impact
This malicious package enables execution of arbitrary attacker-controlled code within the context of any project that imports rollup-packages-polyfill-core versions 0.13.7 or 0.13.8. This can lead to compromise of the development or build environment, potential data theft, persistence, or further malware deployment. The attack is triggered automatically on module import, increasing risk of unnoticed exploitation.
Mitigation Recommendations
No official patch or remediation is currently documented for this malicious package. Users should immediately remove rollup-packages-polyfill-core versions 0.13.7 and 0.13.8 from their dependencies and replace them with the legitimate rollup-plugin-polyfill-node package. Avoid installing packages with suspicious or similar names to popular packages. Monitor dependency trees for typosquatting or malicious packages. Since this is a malicious package, remediation involves removal and replacement rather than patching.
MAL-2026-10160: Malicious code in rollup-packages-polyfill-core (npm)
Description
The npm package rollup-packages-polyfill-core versions 0.13.7 and 0.13.8 is a malicious typosquatting package that impersonates the legitimate rollup-plugin-polyfill-node. Upon requiring its main entry, it decodes and executes a hidden npm install command to fetch and run attacker-controlled code from another malicious package, svgson-lite. This behavior occurs every time the package is imported, enabling remote code execution within the consumer's process.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
rollup-packages-polyfill-core is a malicious npm package designed to impersonate the legitimate rollup-plugin-polyfill-node by copying its README and using a similar name. When its main module (dist/index.js) is required, it decodes base64-encoded strings to reconstruct and execute an npm install command for the svgson-lite package using child_process.spawn with hidden stdio and windowsHide options. After installation, it requires svgson-lite and invokes svgo.getPlugin()(), which executes attacker-controlled code inside the importing process. The use of base64 encoding is intended to evade static detection. This package is a supply chain threat that executes arbitrary code during module import.
Potential Impact
This malicious package enables execution of arbitrary attacker-controlled code within the context of any project that imports rollup-packages-polyfill-core versions 0.13.7 or 0.13.8. This can lead to compromise of the development or build environment, potential data theft, persistence, or further malware deployment. The attack is triggered automatically on module import, increasing risk of unnoticed exploitation.
Mitigation Recommendations
No official patch or remediation is currently documented for this malicious package. Users should immediately remove rollup-packages-polyfill-core versions 0.13.7 and 0.13.8 from their dependencies and replace them with the legitimate rollup-plugin-polyfill-node package. Avoid installing packages with suspicious or similar names to popular packages. Monitor dependency trees for typosquatting or malicious packages. Since this is a malicious package, remediation involves removal and replacement rather than patching.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10160
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a520ecc68715ace438f63fb
Added to database: 07/11/2026, 09:37:16 UTC
Last enriched: 07/11/2026, 09:58:19 UTC
Last updated: 07/12/2026, 03:33:18 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.