npm · Malicious package advisory
Malwarevite-plugin-logo
MAL-2026-5714
Malicious code in vite-plugin-logo (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b)
On require, index.js walks up to 5 parent directories searching for `public/assets/logo.png`, scans the file bytes for the marker `__VITE_ASSET_CACHE_v1__`, base64-decodes the bytes that follow the marker, and executes them via `new Function('require', code)(require)` — passing the real `require` so the decoded payload has full Node capabilities (filesystem, network, child_process). The entire loader is wrapped in `try {... } catch (e) {}` to silently swallow errors, and uses single-letter identifiers and a marker name that masquerades as a Vite-internal cache to disguise intent. This is a steganographic loader: any project that installs and imports this plugin will execute whatever code is embedded in a PNG bearing the magic marker, giving an attacker (the package author, or anyone who can ship such a PNG into a consumer's `public/assets/` tree) a generic remote-code-execution primitive at build/import time. The package name follows the `vite-plugin-*` convention but is published under the generic placeholder author `Vite Community` with no repository or homepage, consistent with namespace abuse against the Vite plugin ecosystem.
Compromised versions (9)
- 1.1.0
- 1.0.5
- 1.1.1
- 1.0.3
- 1.0.6
- 1.0.4
- 1.0.7
- 1.0.9
- 1.0.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.