npm

@vite-pro/vite-ui @2.5.10

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC

Malicious

OSV ID

MAL-2026-10526

Ecosystem

npm

Summary

Package @vite-pro/vite-ui impersonates the official vite package: package.json declares author Evan You , points repository at github.com/vitejs/vite , sets homepage to vitejs.dev , ships the upstream Vite README, and exposes a bin named vite . Appended to the end of bin/vite.js , after the legitimate CLI bootstrap and a large block of trailing whitespace, is an obfuscated IIFE that constructs a string table via a seeded Fisher-Yates shuffle (seed 4606094) to hide endpoints, method names, and constants. The loader then fetches a remote payload over HTTP, XOR-decrypts it with an embedded key, and eval s the result. It subsequently fetches a second payload and passes it to child_process.spawn with detached:true , stdio:'ignore' , and windowsHide:true , establishing a hidden, long-running process independent of the parent vite invocation. The loader runs every time a developer executes vite , npx vite , or npm run dev|build , giving the attacker arbitrary code execution and a persistent background process on the developer machine on each CLI use. The obfuscation technique (seeded string-array shuffle + XOR + eval + detached spawn) matches reported blockchain-C2 loader families.

Source: amazon-inspector (9aaf307faea8efb93af6f3c8ee4811304a7d9afa25f1c9525aed108efea439e7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.