Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10160: Malicious code in rollup-packages-polyfill-core (npm)

0
High
Published: 07/10/2026 (07/10/2026, 16:56:40 UTC)
Source: GCVE Database
Product: rollup-packages-polyfill-core

Description

The npm package rollup-packages-polyfill-core versions 0.13.7 and 0.13.8 is a malicious typosquatting package that impersonates the legitimate rollup-plugin-polyfill-node. Upon requiring its main entry, it decodes and executes a hidden npm install command to fetch and run attacker-controlled code from another malicious package, svgson-lite. This behavior occurs every time the package is imported, enabling remote code execution within the consumer's process.

Affected software

npmghsa
rollup-packages-polyfill-core
Affected versions
=0.13.8=0.13.7

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:58:19 UTC

Technical Analysis

rollup-packages-polyfill-core is a malicious npm package designed to impersonate the legitimate rollup-plugin-polyfill-node by copying its README and using a similar name. When its main module (dist/index.js) is required, it decodes base64-encoded strings to reconstruct and execute an npm install command for the svgson-lite package using child_process.spawn with hidden stdio and windowsHide options. After installation, it requires svgson-lite and invokes svgo.getPlugin()(), which executes attacker-controlled code inside the importing process. The use of base64 encoding is intended to evade static detection. This package is a supply chain threat that executes arbitrary code during module import.

Potential Impact

This malicious package enables execution of arbitrary attacker-controlled code within the context of any project that imports rollup-packages-polyfill-core versions 0.13.7 or 0.13.8. This can lead to compromise of the development or build environment, potential data theft, persistence, or further malware deployment. The attack is triggered automatically on module import, increasing risk of unnoticed exploitation.

Mitigation Recommendations

No official patch or remediation is currently documented for this malicious package. Users should immediately remove rollup-packages-polyfill-core versions 0.13.7 and 0.13.8 from their dependencies and replace them with the legitimate rollup-plugin-polyfill-node package. Avoid installing packages with suspicious or similar names to popular packages. Monitor dependency trees for typosquatting or malicious packages. Since this is a malicious package, remediation involves removal and replacement rather than patching.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10160
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a520ecc68715ace438f63fb

Added to database: 07/11/2026, 09:37:16 UTC

Last enriched: 07/11/2026, 09:58:19 UTC

Last updated: 07/12/2026, 03:33:18 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses