npm

mdb-vite @1.5.2

Vulnerability report · Last retrieved from osv.dev July 13, 2026 at 7:40 AM UTC

Malicious

OSV ID

MAL-2026-10144

Ecosystem

npm

Summary

The package's default export getPlugin performs an HTTPS fetch to https://svganchordev.net/icons/107 with URL components split across protocol , domain , separator , and path variables to disguise the destination, then passes the response's credits field to new Function('require','module',...,data.credits) and invokes it with full Node capabilities (require, module, process, Buffer, global, __dirname=process.cwd()). Any consumer that imports the package and invokes the default export runs attacker-controlled code with the installer's Node privileges — enabling arbitrary payload delivery, credential theft, persistence, or downstream compromise. Additional misdirection: the package name mdb-vite evokes MDBootstrap/Vite tooling, keywords are react, helper, svg , the README titles itself polymarket-clob-api , and package.json describes it as a Polymarket CLOB SDK — none of which match the code, which only fetches and evals remote JavaScript. A bearrtoken: 'logo' header and an unused CDN-provider map (cloudflare/fastly/akamai/cloudfront) are decoys to make the loader appear CDN-related.

Source: amazon-inspector (d24ffe7ac6e64aab50d9ba84f5b06ffd1047663698d25071770749b36afe6543)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.