@vitets/vite-ts @1.5.10
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC
OSV ID
MAL-2026-10528
Ecosystem
npm
Summary
Package is published as @vitets/vite-ts and copies the legitimate Vite project's author ( Evan You ), README, homepage ( vitejs.dev ), and repository ( github.com/vitejs/vite ) to impersonate the real vite / @vitejs/* packages, and declares a bin entry named vite so consumers who install it and run the vite CLI execute the package's bin/vite.js . After ~5KB of whitespace padding, bin/vite.js contains an obfuscated payload that uses a custom string-scramble routine to hide identifiers ( require , child_process , spawn , eval , hostnames, HTTP/JSON-RPC method names) as numeric indices into a reconstructed string table, defeating static IOC scanning. The decoded routine performs an HTTPS GET and a JSON-RPC POST to remote hosts, XORs the response with a key fetched from a second endpoint, runs eval(r) on the result, and additionally child_process.spawn s a detached background process to execute it (with detached:true , windowsHide:true ). This gives the publisher arbitrary code execution on the developer's machine every time the vite CLI is invoked, with no integrity check on the fetched code. The package's dist/ bundle also contains base64+Buffer decode primitives consistent with additional obfuscated payload handling.
Source: amazon-inspector (8fe093d0d0fa83ab20aa57e9d9c8500e03a25ead578ff351fdc3609118cf5ecf)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.