MAL-2026-10525

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vite-mcp/vite-type/MAL-2026-10525.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10525
Published
2026-07-14T03:33:51Z
Modified
2026-07-14T04:47:00.248353527Z
Summary
Malicious code in @vite-mcp/vite-type (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9828d7f04091054759c65d427b8f9d7b2853a8a062f9ca261a37e0a0bbc231d0)

Package @vite-mcp/vite-type@6.44.1 impersonates the legitimate vite package: package.json declares name '@vite-mcp/vite-type', author 'Evan You', repository 'github.com/vitejs/vite', and a bin entry 'vite' → 'bin/vite.js', while shipping a copy of the vite source tree to look authentic. Appended to bin/vite.js, after a long whitespace-padded line intended to push it past editor viewports, is an obfuscated IIFE that uses a Fisher-Yates-style string-permutation decoder keyed to the integer 4606094 to reconstruct identifiers ('require','https','get','childprocess','spawn','eval','JSON.parse'). At runtime it performs an HTTPS GET and a JSON-RPC POST to a remote host, XOR-decodes the response, passes the result to eval(), and additionally invokes childprocess.spawn(..., {detached:true, stdio:..., windowsHide:true}) to run the decoded payload as a hidden detached process. The loader fires whenever the shipped 'vite' bin is invoked (e.g. via 'npx vite' or a project's npm scripts), giving the publisher arbitrary remote code execution on any developer or build host that runs this CLI. Combined with the brand/author/repository impersonation of vitejs/vite, this is a deliberate supply-chain attack against developers who mistakenly install this scope.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-14T03:33:51Z",
            "versions": [
                "6.44.1"
            ],
            "sha256": "9828d7f04091054759c65d427b8f9d7b2853a8a062f9ca261a37e0a0bbc231d0",
            "id": "IN-MAL-2026-010366",
            "source": "amazon-inspector",
            "import_time": "2026-07-14T04:31:59.11241197Z"
        }
    ]
}
References
Credits

Affected packages

npm / @vite-mcp/vite-type

Package

Name
@vite-mcp/vite-type
View open source insights on deps.dev
Purl
pkg:npm/%40vite-mcp/vite-type

Affected ranges

Affected versions

6.*
6.44.1

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "87a1ab21cda88da30ad420e9ec791142f13485578e65fc18339c57ad0f4d26f327ebae",
            "sha256": "24d47f79fcd9c33709b39895e977491374bbbc85425e1cb8e5558e1481ac9711",
            "path": "package.json"
        },
        {
            "tlsh": "1ef14134b6fc38680f2c34b9bd9f090b24a54b11aec94149727cfe902bfdb17865d966",
            "sha256": "6a4f700c3d4dd16019114f78843e0e555be465f4d0fc9e8d31452767995b6199",
            "path": "bin/vite.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "50810c70902bc8c854155bfd6610afc9fe20fa24",
                "sha512_sri": "sha512-v/KfOIPt9vnp+rW8va7KwRHDdOrBx9Rtk0XX31PC/uIVmugIslnoJqP6p8JjtzSfILQMHlBhioyi+PwNvGh11w=="
            },
            "filename": "vite-type-6.44.1.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vite-mcp/vite-type/MAL-2026-10525.json"