-= Per source details. Do not edit below this line.=-
Package vite-pwa-config impersonates the popular vite-plugin-pwa (antfu) — the README instructs users to import configJson from vite-plugin-pwa, and package metadata reuses that project's funding link, badges, and banner. When the exported configJson/configField is invoked from a project's vite.config, dist/index.cjs/index.mjs spawns a detached node child (stdio:"ignore", child.unref()) running the bundled dist/client/dev/viteopt.js. That helper fetches a JavaScript string from https://www.jsonkeeper.com/b/FNOBS via axios and passes it to new Function('require', s)(require), giving the anonymous remote endpoint arbitrary code execution in the developer's build environment with full require access. The remote URL is disguised behind a local process = { env: { DEV_API_URL:..., DEV_SECREDT:..., DEV_PREFIX:... } } shadow object to make the fetch look like ordinary env-driven configuration. Detached/silenced child spawning plus the cover-story env shim are deliberate evasion of casual review, and jsonkeeper.com is a mutable, anonymous paste host — today's content can be swapped for any payload at any time. This is a typosquat lure carrying an unpinned remote-fetch-and-eval dropper.
{
"malicious-packages-origins": [
{
"sha256": "bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0",
"id": "IN-MAL-2026-009388",
"import_time": "2026-07-09T19:05:00.455825012Z",
"modified_time": "2026-07-09T18:49:09Z",
"versions": [
"1.1.1"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.1.2"
],
"id": "IN-MAL-2026-009397",
"modified_time": "2026-07-09T20:42:02Z",
"import_time": "2026-07-09T21:03:50.829717433Z",
"sha256": "b2218a7874aeff01d6bb41eb677af428f8864aec1a7979319a1be932d948da46",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "vite-pwa-config-1.1.1.tgz",
"hashes": {
"sha512_sri": "sha512-X3HqhN2o1RDgw/2RZH8kTnEkACMSIH2PuBqy99hmkcctCOJbMK0iWAymGYyDdlxfyj/Zzds+Soriy85g3R+R5g==",
"sha1": "2ee132d9ca78a61e667d8e990d9b327c87eb5054"
}
}
],
"evidence_files": [
{
"sha256": "002ba94ab1ebfc5aae7956529b1a26c6543baa01bf0e024d3d8fa8dea1fc8693",
"tlsh": "9a21af1e34bc64a8017023f5a73bd822fa69283b314290d9779c87a21f365595242edd",
"path": "dist/client/dev/viteopt.js"
},
{
"sha256": "91906a91c5648c35cc51e89542825d564b55df7ff14c010caf5c9cf84a8118af",
"tlsh": "977163e394d855970f109ce6fd08718aea3342eed5c2f080e77a643ad5c0b45423b6dd",
"path": "README.md"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-pwa-config/MAL-2026-10092.json"