npm · Malicious package advisory
Malwaremdb-vite
MAL-2026-10144
Malicious code in mdb-vite (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d24ffe7ac6e64aab50d9ba84f5b06ffd1047663698d25071770749b36afe6543)
The package's default export `getPlugin` performs an HTTPS fetch to https://svganchordev.net/icons/107 with URL components split across `protocol`, `domain`, `separator`, and `path` variables to disguise the destination, then passes the response's `credits` field to `new Function('require','module',...,data.credits)` and invokes it with full Node capabilities (require, module, process, Buffer, global, __dirname=process.cwd()). Any consumer that imports the package and invokes the default export runs attacker-controlled code with the installer's Node privileges — enabling arbitrary payload delivery, credential theft, persistence, or downstream compromise. Additional misdirection: the package name `mdb-vite` evokes MDBootstrap/Vite tooling, keywords are `react, helper, svg`, the README titles itself `polymarket-clob-api`, and package.json describes it as a Polymarket CLOB SDK — none of which match the code, which only fetches and evals remote JavaScript. A `bearrtoken: 'logo'` header and an unused CDN-provider map (cloudflare/fastly/akamai/cloudfront) are decoys to make the loader appear CDN-related.
## Source: ghsa-malware (5e2c6b3eff8c409ee862db83e5d1211582cd14238384a89c0bc6b31b16fbead7)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 1.5.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.