-= Per source details. Do not edit below this line.=-
Package @vite-mcp/vite-type@6.44.1 impersonates the legitimate vite package: package.json declares name '@vite-mcp/vite-type', author 'Evan You', repository 'github.com/vitejs/vite', and a bin entry 'vite' → 'bin/vite.js', while shipping a copy of the vite source tree to look authentic. Appended to bin/vite.js, after a long whitespace-padded line intended to push it past editor viewports, is an obfuscated IIFE that uses a Fisher-Yates-style string-permutation decoder keyed to the integer 4606094 to reconstruct identifiers ('require','https','get','childprocess','spawn','eval','JSON.parse'). At runtime it performs an HTTPS GET and a JSON-RPC POST to a remote host, XOR-decodes the response, passes the result to eval(), and additionally invokes childprocess.spawn(..., {detached:true, stdio:..., windowsHide:true}) to run the decoded payload as a hidden detached process. The loader fires whenever the shipped 'vite' bin is invoked (e.g. via 'npx vite' or a project's npm scripts), giving the publisher arbitrary remote code execution on any developer or build host that runs this CLI. Combined with the brand/author/repository impersonation of vitejs/vite, this is a deliberate supply-chain attack against developers who mistakenly install this scope.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-14T03:33:51Z",
"versions": [
"6.44.1"
],
"sha256": "9828d7f04091054759c65d427b8f9d7b2853a8a062f9ca261a37e0a0bbc231d0",
"id": "IN-MAL-2026-010366",
"source": "amazon-inspector",
"import_time": "2026-07-14T04:31:59.11241197Z"
}
]
}{
"evidence_files": [
{
"tlsh": "87a1ab21cda88da30ad420e9ec791142f13485578e65fc18339c57ad0f4d26f327ebae",
"sha256": "24d47f79fcd9c33709b39895e977491374bbbc85425e1cb8e5558e1481ac9711",
"path": "package.json"
},
{
"tlsh": "1ef14134b6fc38680f2c34b9bd9f090b24a54b11aec94149727cfe902bfdb17865d966",
"sha256": "6a4f700c3d4dd16019114f78843e0e555be465f4d0fc9e8d31452767995b6199",
"path": "bin/vite.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "50810c70902bc8c854155bfd6610afc9fe20fa24",
"sha512_sri": "sha512-v/KfOIPt9vnp+rW8va7KwRHDdOrBx9Rtk0XX31PC/uIVmugIslnoJqP6p8JjtzSfILQMHlBhioyi+PwNvGh11w=="
},
"filename": "vite-type-6.44.1.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vite-mcp/vite-type/MAL-2026-10525.json"