-= Per source details. Do not edit below this line.=-
Package @vite-js/ui@7.15.16 impersonates the legitimate vite package: it copies the author name, homepage (vitejs.dev), README, and exposes a bin named vite, but publishes under an unrelated scope. Its bin/vite.js contains the legitimate Vite launcher followed by an appended obfuscated IIFE that uses a seeded permutation cipher and placeholder-swap encoding to reconstruct the Function constructor name and a decoded payload string, then invokes Function(...) with the decoded body — an eval-equivalent RCE primitive that fires whenever a developer runs the vite CLI provided by this package. The obfuscation shape (custom character-shuffle descrambler, hex/comma-obfuscated string tables) is combined with runtime dependencies uncharacteristic of a build tool (@solana/web3.js, axios, socket.io-client, form-data), consistent with the wallet-stealer / exfiltration family seen in prior npm typosquat incidents. Running npx vite or the installed vite bin from this package executes attacker-controlled code on the developer's machine.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-08T20:37:36Z",
"id": "IN-MAL-2026-008609",
"source": "amazon-inspector",
"import_time": "2026-07-08T21:27:50.06242356Z",
"sha256": "914257e4d1eecae3fc48e98c8a2a406ed8021ed159c4a43a96c57453d0a1f320",
"versions": [
"7.15.16"
]
}
]
}{
"package_integrity": [
{
"filename": "ui-7.15.16.tgz",
"hashes": {
"sha1": "8950e9cff4e641854d7e736213fe7b934b132d99",
"sha512_sri": "sha512-EUmASs+yOowDRmiuBystWtkyYL8w3h2oyBoFitr5ogAcWuFzLZDnfPCXjMAiWwDaKl8Up8i3t5li1yg5wavnaA=="
}
}
],
"evidence_files": [
{
"path": "bin/vite.js",
"tlsh": "89e15c41e1dcb8561ba0b59ab49e49096c799423ef4cc984f3bcf2506fdb12852850f9",
"sha256": "16ac3a574bd4bd9836918033852cc1528a50ac2fc9231ab9605bc2b20e8bea7b"
},
{
"path": "package.json",
"tlsh": "c9a1bc21cea88da31ad424e9ec790142f13485578e65fc18339d57ad0f4d26f327ebae",
"sha256": "af314d461d5ac49b9133bac01746842996e7f4636a6fa2e3d6541eadf67f391b"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vite-js/ui/MAL-2026-7021.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]