-= Per source details. Do not edit below this line.=-
Package publishes under @vite-js/vui while impersonating the official vite package: package.json sets author "Evan You", description "Native-ESM powered web dev build tool", repository github.com/vitejs/vite.git, and bin name "vite" mapped to bin/vite.js. bin/vite.js is the legitimate Vite bootstrapper with an obfuscated trailer appended after the normal start() call: a shuffle-decoder resolves the string "constructor" (var XVL=Oto[Ywu]), builds a Function from a decoded opaque source blob, and immediately invokes it (var CpK=XVL(HuO,Oto(IHO)); var ARH=CpK(Oto('...')); var hTf=plc(byk,ARH); hTf(3504);). Every invocation of the vite command (npm run dev/build/preview, npx vite) executes the hidden author-supplied code on the developer's machine. devDependencies additionally include @solana/web3.js, axios, socket.io-client, and form-data — libraries consistent with wallet-drainer / C2 exfiltration functionality and not present in upstream Vite.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "89dd59b0cc2b2931e47b1822fa705eba41767d28ae89bce2e277254377dd9a0a",
"modified_time": "2026-07-14T20:47:33Z",
"import_time": "2026-07-14T20:52:50.38954353Z",
"id": "IN-MAL-2026-010567",
"versions": [
"7.14.16"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vite-js/vui/MAL-2026-10619.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"filename": "vui-7.14.16.tgz",
"hashes": {
"sha512_sri": "sha512-epMtlIagTIF4t0FLrWyj4NVcU9e8DAua9Xolz3kHaL6GyZ3465Iujo0Sz2KRAtF1jG+jn/xrypaHZ9Mfe4ZWlA==",
"sha1": "732f15f484077d64168c5edc7794bd4ae817ffe5"
}
}
],
"evidence_files": [
{
"path": "bin/vite.js",
"sha256": "6c2578f21e21e8a904bd07d4f01e85e727f4f16bd051f0dca465335a38f1ba7b",
"tlsh": "aff16d92c1ec38311710768ef09d0a6b46e24612ad4cc698bb4cfa70bfc651476ca3d9"
},
{
"path": "package.json",
"sha256": "e38bd12161d52fec35d2c7dd05a5fec311e04fc13050f878e826664bc633ef00",
"tlsh": "e0a1cd21cea88da31ad024e9ec790142f13485578e65fc18339d57ad0f4d26f327ebae"
}
]
}