VYPR

npm · Malicious package advisory

Malware

@vite-pro/vite-ui

MAL-2026-10526

Malicious code in @vite-pro/vite-ui (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9aaf307faea8efb93af6f3c8ee4811304a7d9afa25f1c9525aed108efea439e7)
Package `@vite-pro/vite-ui` impersonates the official `vite` package: `package.json` declares author `Evan You`, points `repository` at `github.com/vitejs/vite`, sets `homepage` to `vitejs.dev`, ships the upstream Vite README, and exposes a `bin` named `vite`. Appended to the end of `bin/vite.js`, after the legitimate CLI bootstrap and a large block of trailing whitespace, is an obfuscated IIFE that constructs a string table via a seeded Fisher-Yates shuffle (seed 4606094) to hide endpoints, method names, and constants. The loader then fetches a remote payload over HTTP, XOR-decrypts it with an embedded key, and `eval`s the result. It subsequently fetches a second payload and passes it to `child_process.spawn` with `detached:true`, `stdio:'ignore'`, and `windowsHide:true`, establishing a hidden, long-running process independent of the parent `vite` invocation. The loader runs every time a developer executes `vite`, `npx vite`, or `npm run dev|build`, giving the attacker arbitrary code execution and a persistent background process on the developer machine on each CLI use. The obfuscation technique (seeded string-array shuffle + XOR + eval + detached spawn) matches reported blockchain-C2 loader families.

Compromised versions (1)

  • 2.5.10

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.