VYPR
← All malware advisories

npm · Malicious package advisory

Malware

react-vite-assert

MAL-2026-5933

Malicious code in react-vite-assert (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (746aecfafda9a8f780b53ef40a5697875c52514dfa6ebb29306992ad06128395)
react-vite-assert@1.4.1 executes attacker-controlled JavaScript whenever the package is imported. The main entry transitively loads src/features/extras/config.js, which runs a top-level async IIFE that issues an HTTPS GET to https://www.jsonkeeper.com/b/HXDNM, takes the `data.config` string from the response, wraps it with `new Function('require', s)`, and invokes it with a `createRequire(import.meta.url)`-built `require` — granting the fetched code full Node.js access (filesystem, network, child_process, env). The fetch is retried up to 5 times. The remote URL and request headers are disguised by a fake local `process` shadow object whose keys are named DEV_API_KEY/DEV_SECRET_KEY/DEV_SECRET_VALUE, where DEV_API_KEY actually holds the paste URL and the other two hold a request header name/value — deliberate misdirection rather than configuration. jsonkeeper.com is an anonymous, mutable paste host: whoever controls /b/HXDNM can change the executed payload at any time without republishing the package. The combination of import-time auto-execution, anonymous mutable code source, eval of fetched bytes with full `require`, and cover-story variable naming is unambiguous supply-chain attack tradecraft.

Compromised versions (1)

  • 1.4.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.