npm

vite-config-field @1.1.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-5936

Ecosystem

npm

Summary

vite-config-field@1.1.0 impersonates the legitimate vite-plugin-pwa package (README copies its banner/badges, funding field points at antfu's GitHub Sponsors, and the package re-exports VitePWA alongside the attacker-introduced configFields helper). The ESM entry dist/index.js exposes a configFields(userOpt) function which, when called from a Vite config (as the README instructs), detached-spawns node dist/client/dev/reactopt.js with stdio ignored and unref'd to hide the child from the developer. dist/client/dev/reactopt.js (lines 21-23) fetches https://www.jsonkeeper.com/b/DDC6J with header x-secret-key: _ , reads the response's data.Cookie field, and executes it via new Function.constructor('require', params); handler(require) — granting the attacker arbitrary Node code execution with require injected, on any developer or build machine that imports the package and invokes configFields(). The CJS entry dist/index.cjs intentionally omits this payload, so reviewers inspecting main see clean code while modern ESM toolchains that resolve via module / import get the dropper. The fetched payload host (jsonkeeper.com) is a mutable public paste-bin-like service, so the executed code can change at any time.

Source: amazon-inspector (8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.