npm · Malicious package advisory
Malwarevite-config-optimizer
MAL-2026-5727
Malicious code in vite-config-optimizer (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f)
package.json declares a postinstall hook `node -e "require('./loader.js')"` that auto-executes on every `npm install`. loader.js spawns a detached child Node process running a dropper that hex-decodes a hidden URL (`https://jsonkeeper.com/b/L435A`, an anonymous, mutable JSON paste host), HTTPS-GETs the response body, writes it to a temp file under `/tmp/wpc-*/cfg-*.js`, and `require()`s it — running arbitrary attacker-controlled JavaScript inside the installer's Node process with the installer's privileges. The remote endpoint is concealed as a hex literal decoded with `Buffer.from(..., 'hex').toString()` to evade plain-text URL scanners, and the dropper is detached and unref'd to hide its activity. The package's advertised identity is also a cover story: the name and description claim it is a Vite configuration plugin, but the declared repository points at `webpack-tools/webpack-cache-plugin`, the main module exports a `WebpackCachePlugin` class, and the only install-time behavior is the dropper. Anyone running `npm install vite-config-optimizer` (directly or transitively) executes whatever bytes the paste host serves at request time.
## Source: ghsa-malware (18ec44f68e5227733b66651f42b661c9e996e0212c0c04ff79a8ae79f5b1f1d8)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 1.1.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.