MAL-2026-10092

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-pwa-config/MAL-2026-10092.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10092
Published
2026-07-09T18:49:09Z
Modified
2026-07-09T21:16:56.969885081Z
Summary
Malicious code in vite-pwa-config (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0)

Package vite-pwa-config impersonates the popular vite-plugin-pwa (antfu) — the README instructs users to import configJson from vite-plugin-pwa, and package metadata reuses that project's funding link, badges, and banner. When the exported configJson/configField is invoked from a project's vite.config, dist/index.cjs/index.mjs spawns a detached node child (stdio:"ignore", child.unref()) running the bundled dist/client/dev/viteopt.js. That helper fetches a JavaScript string from https://www.jsonkeeper.com/b/FNOBS via axios and passes it to new Function('require', s)(require), giving the anonymous remote endpoint arbitrary code execution in the developer's build environment with full require access. The remote URL is disguised behind a local process = { env: { DEV_API_URL:..., DEV_SECREDT:..., DEV_PREFIX:... } } shadow object to make the fetch look like ordinary env-driven configuration. Detached/silenced child spawning plus the cover-story env shim are deliberate evasion of casual review, and jsonkeeper.com is a mutable, anonymous paste host — today's content can be swapped for any payload at any time. This is a typosquat lure carrying an unpinned remote-fetch-and-eval dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0",
            "id": "IN-MAL-2026-009388",
            "import_time": "2026-07-09T19:05:00.455825012Z",
            "modified_time": "2026-07-09T18:49:09Z",
            "versions": [
                "1.1.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.2"
            ],
            "id": "IN-MAL-2026-009397",
            "modified_time": "2026-07-09T20:42:02Z",
            "import_time": "2026-07-09T21:03:50.829717433Z",
            "sha256": "b2218a7874aeff01d6bb41eb677af428f8864aec1a7979319a1be932d948da46",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / vite-pwa-config

Package

Affected ranges

Affected versions

1.*
1.1.1
1.1.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "vite-pwa-config-1.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-X3HqhN2o1RDgw/2RZH8kTnEkACMSIH2PuBqy99hmkcctCOJbMK0iWAymGYyDdlxfyj/Zzds+Soriy85g3R+R5g==",
                "sha1": "2ee132d9ca78a61e667d8e990d9b327c87eb5054"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "002ba94ab1ebfc5aae7956529b1a26c6543baa01bf0e024d3d8fa8dea1fc8693",
            "tlsh": "9a21af1e34bc64a8017023f5a73bd822fa69283b314290d9779c87a21f365595242edd",
            "path": "dist/client/dev/viteopt.js"
        },
        {
            "sha256": "91906a91c5648c35cc51e89542825d564b55df7ff14c010caf5c9cf84a8118af",
            "tlsh": "977163e394d855970f109ce6fd08718aea3342eed5c2f080e77a643ad5c0b45423b6dd",
            "path": "README.md"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-pwa-config/MAL-2026-10092.json"