VYPR

npm · Malicious package advisory

Malware

@vite-js/ui

MAL-2026-7021

Malicious code in @vite-js/ui (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (476576198de86a58304788ac79ac3c8ca21b5029d9e824e3ffab41f539146c3b)
Package `@vite-js/ui` impersonates the official `vite` package: package.json declares author 'Evan You', homepage 'https://vitejs.dev', ships an unmodified Vite README and a near-verbatim Vite `dist/` tree, and exposes `bin.vite` pointing at `bin/vite.js` — so any developer who installs this and runs the documented `vite` command executes this package's CLI. Appended to the legitimate Vite bin code in `bin/vite.js` is a heavily obfuscated IIFE that reconstructs strings from a packed blob via a custom shuffler (keyed by 4606094, with `%`/`#1`/`#0` substitutions) to hide the identifiers `http`, `child_process`, `JSON`, `eval`, and `spawn`. At runtime it issues a JSON-RPC HTTP fetch, XOR-decodes the response using a key derived from a remote field, passes the decoded buffer to `eval(r)`, and then calls `child_process.spawn` with `{detached:true, stdio:..., windowsHide:true}` on a second fetched-and-decoded payload — a hidden, detached process that outlives the CLI invocation and provides a persistent execution channel. A short time-gate throttles re-trigger. Legitimate Vite has no such bootstrap; the custom string-array obfuscator covers only the network/eval/spawn surface, which is the canonical dropper-plus-backdoor shape.

Compromised versions (2)

  • 7.15.16
  • 7.15.10

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.