@uw010010/vite-tree @3.6.1
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10470
Ecosystem
npm
Summary
The package @uw010010/vite-tree impersonates the upstream vite package: its package.json verbatim copies vite's author ('Evan You'), description ('Native-ESM powered web dev build tool'), bin name 'vite', repository (git+https://github.com/vitejs/vite.git), and homepage (https://vitejs.dev), and ships vite's README. Appended to bin/vite.js, after ~5KB of whitespace padding, is an obfuscated trailer that builds a shuffled string-array dispatcher (via Fisher-Yates permutation with String.fromCharCode(127) sentinel substitution) to reconstitute method/property names such as 'http(s)', 'get', 'POST', 'request', 'child_process', 'spawn', 'JSON.parse', 'JSON.stringify', and '2.0'. At runtime the trailer issues an HTTP GET and a JSON-RPC 2.0 POST (id:1) to an attacker-controlled endpoint, XOR-decodes the response with a key derived from the response, and then both eval()s the decoded string and invokes child_process.spawn with detached:true, windowsHide:true, stdio:'ignore' to run the same decoded payload as a detached background process. The bin executes on every invocation of vite / npx vite from this package, so any developer who installs the typosquat and runs the bin gets arbitrary attacker code executed on their machine plus a hidden detached child for persistence.
Source: amazon-inspector (280687ad50e03b43bf7f26df6afb1a8fb794eb486c126b2368f37c6b76625318)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.