npm

@vite-ln/build-ts @5.15.10

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6984

Ecosystem

npm

Summary

Package @vite-ln/build-ts copies the legitimate vite package's manifest verbatim (description 'Native-ESM powered web dev build tool', author 'Evan You', repository vitejs/vite, bin name 'vite') but is published under the unofficial scope @vite-ln rather than @vitejs. The tarball appends an obfuscated payload to the CLI entry bin/vite.js after the legitimate Vite bootstrap. The payload uses a shuffled, character-substituted string array decoded at runtime to recover endpoint hostnames, HTTP methods, and Node API names, then performs an HTTP(S) GET followed by a JSON-RPC 2.0 POST (an 'EtherHiding'-style retrieval where the payload is pulled from a blockchain RPC so the operator can rotate it without republishing), XOR-decodes the response with an embedded key, and executes the decoded bytes both via eval(r) and via a detached, hidden child_process.spawn('node', [..., r], {detached:true, stdio:'ignore', windowsHide:true}). Any developer who runs the vite CLI from this package (e.g., npx vite, npm run dev/build) executes attacker-controlled, dynamically rotated code on their machine with full developer privileges and a persisted detached process. Additional base64-decode-then-toString patterns appear in dist/node/chunks/dep-SDtFYyy1.js and dist/node/runtime.js, consistent with the same obfuscation family.

Source: amazon-inspector (8972bbfdd55ad200dd49b08501d7391beca99841f0c36479806f2b1e329950a2)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.