MAL-2026-5701
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-react-toolkit/MAL-2026-5701.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5701
- Aliases
-
- GHSA-4vwq-cp5w-hx5g
- Published
- 2026-06-12T16:11:50Z
- Modified
- 2026-06-12T20:01:57.852869850Z
- Summary
- Malicious code in vite-react-toolkit (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (879905a93676f42398cca583eb921d5ee04a7c84068d7aa0123a7cefdf26d995)
On import/require of vite-react-toolkit, src/features/extras/config.js (reached via the package main → createConfig.js → features/plugins.js side-effect import chain) fetches https://www.jsonkeeper.com/b/AAON3 with axios, extracts the response's
.configfield, and passes it tonew Function('require', s)(require)— executing attacker-controlled JavaScript in the installer's Node.js process with full module-loading capability viacreateRequire(import.meta.url). The fetch retries 5 times and swallows errors silently;console.logis saved and restored around the call to suppress output from the injected code. The dropper URL is hidden behind a fake localprocess.envobject whose keys are namedDEV_API_KEY/DEV_SECRET_KEY/DEV_SECRET_VALUEto look like ordinary environment variable reads. The package advertises itself as a Vite configuration helper, which has no need for network I/O at import time. jsonkeeper.com is an anonymous, mutable paste host — the served bytes can change at any time without any change to the package — so the attacker controls what runs in every consumer's dev/build pipeline whenever this module is imported.Source: ghsa-malware (316e2881a83a38ed8663fab07132eae5000d17aa215009a96762f5ec381c1981)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
- Database specific
{ "malicious-packages-origins": [ { "id": "GHSA-4vwq-cp5w-hx5g", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-12T17:16:21.751032525Z", "sha256": "316e2881a83a38ed8663fab07132eae5000d17aa215009a96762f5ec381c1981", "source": "ghsa-malware", "modified_time": "2026-06-12T16:11:51Z" }, { "id": "IN-MAL-2026-006213", "import_time": "2026-06-12T19:44:20.55562149Z", "sha256": "879905a93676f42398cca583eb921d5ee04a7c84068d7aa0123a7cefdf26d995", "source": "amazon-inspector", "modified_time": "2026-06-12T19:27:03Z", "versions": [ "1.0.1" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / vite-react-toolkit
Package
- Name
- vite-react-toolkit
- View open source insights on deps.dev
- Purl
- pkg:npm/vite-react-toolkit
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "src/features/extras/config.js",
"sha256": "d100938f64c4cc264fd29a4a56d67132ec0d894e860cbfffd4b2fb62f0432422",
"tlsh": "0b01bd8fa1ac140c057013e7bb1be036f662b1ab390381d5775cc7521fb695ca602ede"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-react-toolkit/MAL-2026-5701.json"