@vite-js/ui @7.15.16
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2026-7021
Ecosystem
npm
Summary
Package @vite-js/ui@7.15.16 impersonates the legitimate vite package: it copies the author name, homepage (vitejs.dev), README, and exposes a bin named vite , but publishes under an unrelated scope. Its bin/vite.js contains the legitimate Vite launcher followed by an appended obfuscated IIFE that uses a seeded permutation cipher and placeholder-swap encoding to reconstruct the Function constructor name and a decoded payload string, then invokes Function(...) with the decoded body — an eval-equivalent RCE primitive that fires whenever a developer runs the vite CLI provided by this package. The obfuscation shape (custom character-shuffle descrambler, hex/comma-obfuscated string tables) is combined with runtime dependencies uncharacteristic of a build tool ( @solana/web3.js , axios , socket.io-client , form-data ), consistent with the wallet-stealer / exfiltration family seen in prior npm typosquat incidents. Running npx vite or the installed vite bin from this package executes attacker-controlled code on the developer's machine.
Source: amazon-inspector (914257e4d1eecae3fc48e98c8a2a406ed8021ed159c4a43a96c57453d0a1f320)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.