VDB
GCVE-110-OSM-2026-1592
GCVE-110-OSM-2026-1592
Advisory PublishedCVSS 9.6/10
Backdoor disguised as a Rollup build plugin: getPlugin() fetches JavaScript from attacker-controlled domain rest-icon-handler.store/icons/903 and executes it via eval(JSON.parse(body)), giving the attacker arbitrary code execution in the developer's build environment. setPlugin() performs an identical fetch and eval against rest-icon-handler.store/icons/77. A decoy setDefaultModule() function referencing legitimate CDN providers (Cloudflare, Fastly, Akamai) is included to create the appearance of a legitimate icon-fetching utility.
index.js constructs the C2 base URL from split literals: protocol='https', separator='://', subdomain='rest-icon-handler', domain='store', path='/icons/' → https://rest-icon-handler.store/icons/. getPlugin() appends token '903' and setPlugin() appends '77'. Both use the npm 'request' library, call req(options, cb), and in the callback execute eval(JSON.parse(b)) with no validation of the remote content. Retry logic (mreq with atlf counter) ensures the payload fetch is retried on failure. No install hook — triggers when the exported functions are called.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | rollup-plugin-polyfill-route | 1.0.2 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.