MAL-2026-5727

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-optimizer/MAL-2026-5727.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5727
Published
2026-06-13T03:03:44Z
Modified
2026-06-13T04:01:39.617338849Z
Summary
Malicious code in vite-config-optimizer (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f)

package.json declares a postinstall hook node -e "require('./loader.js')" that auto-executes on every npm install. loader.js spawns a detached child Node process running a dropper that hex-decodes a hidden URL (https://jsonkeeper.com/b/L435A, an anonymous, mutable JSON paste host), HTTPS-GETs the response body, writes it to a temp file under /tmp/wpc-*/cfg-*.js, and require()s it — running arbitrary attacker-controlled JavaScript inside the installer's Node process with the installer's privileges. The remote endpoint is concealed as a hex literal decoded with Buffer.from(..., 'hex').toString() to evade plain-text URL scanners, and the dropper is detached and unref'd to hide its activity. The package's advertised identity is also a cover story: the name and description claim it is a Vite configuration plugin, but the declared repository points at webpack-tools/webpack-cache-plugin, the main module exports a WebpackCachePlugin class, and the only install-time behavior is the dropper. Anyone running npm install vite-config-optimizer (directly or transitively) executes whatever bytes the paste host serves at request time.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006276",
            "import_time": "2026-06-13T03:48:10.829286623Z",
            "sha256": "d8d7346296470990420a83384ab12bb58bd7cafa17ed5e02fdef81440ab8e4b1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T03:03:45Z",
            "versions": [
                "1.1.4"
            ]
        },
        {
            "id": "IN-MAL-2026-006275",
            "import_time": "2026-06-13T03:48:10.800528191Z",
            "sha256": "f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T03:03:44Z",
            "versions": [
                "1.1.4"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / vite-config-optimizer

Package

Name
vite-config-optimizer
View open source insights on deps.dev
Purl
pkg:npm/vite-config-optimizer

Affected ranges

Affected versions

1.*
1.1.4

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "loader.js",
            "sha256": "a5ead14cb7532cc465ecd9f3330450e8bd6c35fca6b9d9dd2411344828294e83",
            "tlsh": "d2318a9e1ba52234da70d3d653235426d5a3e6327341e6c0b65c58d20fa2270d2b3dfc"
        },
        {
            "path": "package.json",
            "sha256": "cde41147eec70612446fe9de6d2cb3e7f492ba5539d839dd737b92d05b0ab8a1",
            "tlsh": "95f0812446945e3309e552d94c5152b4f739cf6f05047c4907ab101d8a8e27297ff36e"
        }
    ],
    "package_integrity": [
        {
            "filename": "vite-config-optimizer-1.1.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-e8lXxuxuIgwvtYG3+tAHPXAtau9Jms5BiCG+MNtmdLF/ajloPKf0eWEdNZ+Nz7btptzvijydw/PdJlkS48yU5Q==",
                "sha1": "962a8bd6c76db4eb369333a83129d0dc600d30b7"
            }
        }
    ],
    "ips": [
        "64.227.108.217",
        "104.16.11.34",
        "147.189.174.8",
        "104.16.4.34",
        "104.16.212.131",
        "10.1.0.2"
    ],
    "domains": [
        "jsonkeeper.com"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-optimizer/MAL-2026-5727.json"