MAL-2026-5714

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-plugin-logo/MAL-2026-5714.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5714

Published

2026-06-12T19:52:23Z

Modified

2026-06-12T21:01:43.149318226Z

Summary

Malicious code in vite-plugin-logo (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b)

On require, index.js walks up to 5 parent directories searching for public/assets/logo.png, scans the file bytes for the marker __VITE_ASSET_CACHE_v1__, base64-decodes the bytes that follow the marker, and executes them via new Function('require', code)(require) — passing the real require so the decoded payload has full Node capabilities (filesystem, network, child_process). The entire loader is wrapped in try {... } catch (e) {} to silently swallow errors, and uses single-letter identifiers and a marker name that masquerades as a Vite-internal cache to disguise intent. This is a steganographic loader: any project that installs and imports this plugin will execute whatever code is embedded in a PNG bearing the magic marker, giving an attacker (the package author, or anyone who can ship such a PNG into a consumer's public/assets/ tree) a generic remote-code-execution primitive at build/import time. The package name follows the vite-plugin-* convention but is published under the generic placeholder author Vite Community with no repository or homepage, consistent with namespace abuse against the Vite plugin ecosystem.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006223",
            "versions": [
                "1.1.0"
            ],
            "sha256": "07a57a447a70e5e76ff5ea362aae40eeae0cbd34da16fd86a9833c0e456a2d1b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:26Z",
            "import_time": "2026-06-12T20:49:37.21859497Z"
        },
        {
            "id": "IN-MAL-2026-006222",
            "import_time": "2026-06-12T20:49:37.12586059Z",
            "sha256": "2bb9108941f02b676dbf72ca860d93bd0da0dbbd471552887f700105a8ba1df2",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:25Z",
            "versions": [
                "1.0.5"
            ]
        },
        {
            "id": "IN-MAL-2026-006224",
            "versions": [
                "1.1.1"
            ],
            "sha256": "30ee8ea99de7572626712510a6410e5009ef2fa163957f93075351f08b69e55a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:27Z",
            "import_time": "2026-06-12T20:49:37.324692641Z"
        },
        {
            "id": "IN-MAL-2026-006219",
            "versions": [
                "1.0.3"
            ],
            "sha256": "5f008b3f10b66f771a48f943f1345c17fbe06fad1e4706ce5861f48a744551ce",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:23Z",
            "import_time": "2026-06-12T20:49:36.767037361Z"
        },
        {
            "id": "IN-MAL-2026-006227",
            "versions": [
                "1.0.6"
            ],
            "sha256": "647a15809f31f151ab733bd0c8a443b7c11d77a962fe0b76d88aad0c2d45a0da",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:30Z",
            "import_time": "2026-06-12T20:49:37.693632822Z"
        },
        {
            "id": "IN-MAL-2026-006220",
            "import_time": "2026-06-12T20:49:36.852347282Z",
            "sha256": "9a9879defd3dbcb42d07be3623d1e2e761ae3a4c4d7a5e9834004fb4ca2871a8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:24Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "id": "IN-MAL-2026-006221",
            "import_time": "2026-06-12T20:49:36.960747112Z",
            "sha256": "b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:24Z",
            "versions": [
                "1.0.7"
            ]
        },
        {
            "id": "IN-MAL-2026-006226",
            "import_time": "2026-06-12T20:49:37.588268293Z",
            "sha256": "ce01f469513e1fedb07417682dfc23546a19bc8a68a49e28d4be7bfa13cb2458",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:29Z",
            "versions": [
                "1.0.9"
            ]
        },
        {
            "id": "IN-MAL-2026-006225",
            "versions": [
                "1.0.8"
            ],
            "sha256": "1a386867300096464073c028fc255497e9a8b759bd4bd50664d55cbb739ef2ba",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:52:27Z",
            "import_time": "2026-06-12T20:49:37.415012945Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / vite-plugin-logo

Package

Name: vite-plugin-logo; View open source insights on deps.dev
Purl: pkg:npm/vite-plugin-logo

Affected ranges

Affected versions

1.*

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1.0

1.1.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "edc472b4b158f862f66b3ed30a7d49d31a6258033847aabb8cd48acda8fdc065",
            "tlsh": "de113a9856a921045433b3b2db17850af6bff16372149198bf6c92d96fb290043b7eec"
        }
    ],
    "package_integrity": [
        {
            "filename": "vite-plugin-logo-1.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Oa057LWZ9hiJyAG+wGCGWvFcLTCqUbBPYnhtCKO7+bNSepuht0QY5FlwcPsS5jXQX3dY9gTVBCeS7jDrRjshTA==",
                "sha1": "c26f4c2ce49d8c3af75ef5ac8e4e4a7a1c560c45"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-plugin-logo/MAL-2026-5714.json"