MAL-2026-10545

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-plugin-model/MAL-2026-10545.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10545
Published
2026-07-14T03:37:11Z
Modified
2026-07-14T04:46:59.046985867Z
Summary
Malicious code in vite-plugin-model (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (50d2f5d3fe93de908c3da2d129b5b766a740b16a0eebf6c29c684605a9eaccf3)

The CJS entrypoint dist/index.js top-level requires bytenode and loads a sibling V8 bytecode blob dist/index.jsc, then injects a hidden Model.resetor() that instantiates a class from that bytecode and immediately calls its queryDBConnect() method on require(). The bytecode contains axios, atob, and node:module internals (_compile, _nodeModulePaths), together with a reversed-base64 literal that decodes to https://c0uxnElubanuzwji03vsfrj.m.pipedream.net — an HTTPS Pipedream webhook. The runtime pattern fetches the webhook response, decodes it, and compiles it as a new Node module, executing attacker-controlled code on the installer's machine as soon as any consumer imports the package. Additional indicators corroborate the hostile intent: the ESM twin dist/index.mjs is clean while only the CJS main is tampered; the package advertises itself as a Vite plugin but the shipped code is an unrelated MobX-style store plus a MySQL-flavored DivbloxDatabaseConnector cover-story class; and dist/index.js pulls in an undeclared 'oubliette' dependency while the bytecode requires an undeclared 'axios', both consistent with attacker scaffolding to complete the exec chain via name-squat or hoist collision.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-14T03:37:11Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "50d2f5d3fe93de908c3da2d129b5b766a740b16a0eebf6c29c684605a9eaccf3",
            "id": "IN-MAL-2026-010372",
            "source": "amazon-inspector",
            "import_time": "2026-07-14T04:31:59.426358568Z"
        }
    ]
}
References
Credits

Affected packages

npm / vite-plugin-model

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "d03211c937fb6930551f30691e4f8107b23a944ba41dde4cba9c42d4af4447992f2bbd",
            "sha256": "e8eba127d4476c6f7b3c838d883d69a7206261bb0d5f66ee9c8d2e1aa627d83e",
            "path": "dist/index.js"
        },
        {
            "tlsh": "3e523b453762eb2bd02281b5a4f30a1403bdfad53e3287076a595cbb9c1f9ec6f6b444",
            "sha256": "a876592bf86e236890a10d1363f2a35c4941d8dcf8b530a21b2787839fff036e",
            "path": "dist/index.jsc"
        },
        {
            "tlsh": "c8f04c30ca214d7345d461d54cab15a3ba718d5b0487fc1833db460c0a8d77710fe67c",
            "sha256": "0caf92f8bf661e1b5d01df318e1a8a67d625fe67119e9a58ad1c8aac62989d71",
            "path": "package.json"
        },
        {
            "tlsh": "4401f116e0fbea53087d94793f44a0a689da87e3274774040b9c293c1acb7334007692",
            "sha256": "19b3ef4fbb05b13fb853287fe6056966d12fec369144b78b1b8343a77973341f",
            "path": "README.md"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "c78963fb33c85a2559a74feafdb83ec70da4dc78",
                "sha512_sri": "sha512-xAg3Uja9PPgeZkPhGUvb1nCf4qEzIAQbWWbjxzYG/2ijE6cS/cabtAlIne0DAWOcGFGrMhjDB5gMVlG+WpuVZw=="
            },
            "filename": "vite-plugin-model-1.0.0.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-plugin-model/MAL-2026-10545.json"