VYPR

npm · Malicious package advisory

Malware

@vitets/vite-ts

MAL-2026-10528

Malicious code in @vitets/vite-ts (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8fe093d0d0fa83ab20aa57e9d9c8500e03a25ead578ff351fdc3609118cf5ecf)
Package is published as `@vitets/vite-ts` and copies the legitimate Vite project's author (`Evan You`), README, homepage (`vitejs.dev`), and repository (`github.com/vitejs/vite`) to impersonate the real `vite` / `@vitejs/*` packages, and declares a `bin` entry named `vite` so consumers who install it and run the `vite` CLI execute the package's `bin/vite.js`. After ~5KB of whitespace padding, `bin/vite.js` contains an obfuscated payload that uses a custom string-scramble routine to hide identifiers (`require`, `child_process`, `spawn`, `eval`, hostnames, HTTP/JSON-RPC method names) as numeric indices into a reconstructed string table, defeating static IOC scanning. The decoded routine performs an HTTPS GET and a JSON-RPC POST to remote hosts, XORs the response with a key fetched from a second endpoint, runs `eval(r)` on the result, and additionally `child_process.spawn`s a detached background process to execute it (with `detached:true`, `windowsHide:true`). This gives the publisher arbitrary code execution on the developer's machine every time the `vite` CLI is invoked, with no integrity check on the fetched code. The package's `dist/` bundle also contains base64+Buffer decode primitives consistent with additional obfuscated payload handling.

Compromised versions (1)

  • 1.5.10

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.