MAL-2026-10619

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vite-js/vui/MAL-2026-10619.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10619
Published
2026-07-14T20:47:33Z
Modified
2026-07-14T21:04:40.998199654Z
Summary
Malicious code in @vite-js/vui (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (89dd59b0cc2b2931e47b1822fa705eba41767d28ae89bce2e277254377dd9a0a)

Package publishes under @vite-js/vui while impersonating the official vite package: package.json sets author "Evan You", description "Native-ESM powered web dev build tool", repository github.com/vitejs/vite.git, and bin name "vite" mapped to bin/vite.js. bin/vite.js is the legitimate Vite bootstrapper with an obfuscated trailer appended after the normal start() call: a shuffle-decoder resolves the string "constructor" (var XVL=Oto[Ywu]), builds a Function from a decoded opaque source blob, and immediately invokes it (var CpK=XVL(HuO,Oto(IHO)); var ARH=CpK(Oto('...')); var hTf=plc(byk,ARH); hTf(3504);). Every invocation of the vite command (npm run dev/build/preview, npx vite) executes the hidden author-supplied code on the developer's machine. devDependencies additionally include @solana/web3.js, axios, socket.io-client, and form-data — libraries consistent with wallet-drainer / C2 exfiltration functionality and not present in upstream Vite.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "89dd59b0cc2b2931e47b1822fa705eba41767d28ae89bce2e277254377dd9a0a",
            "modified_time": "2026-07-14T20:47:33Z",
            "import_time": "2026-07-14T20:52:50.38954353Z",
            "id": "IN-MAL-2026-010567",
            "versions": [
                "7.14.16"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @vite-js/vui

Package

Affected ranges

Affected versions

7.*
7.14.16

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vite-js/vui/MAL-2026-10619.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "vui-7.14.16.tgz",
            "hashes": {
                "sha512_sri": "sha512-epMtlIagTIF4t0FLrWyj4NVcU9e8DAua9Xolz3kHaL6GyZ3465Iujo0Sz2KRAtF1jG+jn/xrypaHZ9Mfe4ZWlA==",
                "sha1": "732f15f484077d64168c5edc7794bd4ae817ffe5"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "bin/vite.js",
            "sha256": "6c2578f21e21e8a904bd07d4f01e85e727f4f16bd051f0dca465335a38f1ba7b",
            "tlsh": "aff16d92c1ec38311710768ef09d0a6b46e24612ad4cc698bb4cfa70bfc651476ca3d9"
        },
        {
            "path": "package.json",
            "sha256": "e38bd12161d52fec35d2c7dd05a5fec311e04fc13050f878e826664bc633ef00",
            "tlsh": "e0a1cd21cea88da31ad024e9ec790142f13485578e65fc18339d57ad0f4d26f327ebae"
        }
    ]
}