npm

@vite-tab/tab @5.7.0

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6988

Ecosystem

npm

Summary

@vite-tab/tab republishes Vite's codebase under a different name while impersonating the upstream project: package.json declares bin: { vite: 'bin/vite.js' } (hijacking the vite command on $PATH), author: 'Evan You' , repository: git+https://github.com/vitejs/vite.git , and homepage: https://vitejs.dev . Appended to bin/vite.js after the legitimate Vite bootstrap is a self-decoding string table ( var _$_4445=(function(k,p){...})("...",4606094) ) built via a Fisher-Yates-style scramble with \x25 / \x23 substitution markers; all sensitive identifiers ( https , get , request , JSON.parse , child_process , spawn , eval , host fragments) are referenced as indices into this table to defeat static review. At runtime the decoded routines perform an HTTPS GET followed by a JSON-RPC POST ( {jsonrpc, method, params, id:1} ) to a dynamically resolved hostname, base64-decode and XOR-decrypt the response, and pass it to eval(r) ; a second fetched payload is launched via child_process.spawn(..., {detached:true, windowsHide:true}) , with a 30-second throttle. The fetch loop runs every time a developer invokes the hijacked vite command, giving the publisher arbitrary remote code execution on the developer machine with persistence via detached child processes. The remote-hostname JSON-RPC lookup makes the C2 endpoint resistant to static domain blocking.

Source: amazon-inspector (95af865d1cf7d45f2b4c2a73eebcfcd1a1a6aba9a36f33bf8256ef4d7235903c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.