vite-config-optimizer @1.1.4

Summary

package.json declares a postinstall hook node -e "require('./loader.js')" that auto-executes on every npm install . loader.js spawns a detached child Node process running a dropper that hex-decodes a hidden URL ( https://jsonkeeper.com/b/L435A , an anonymous, mutable JSON paste host), HTTPS-GETs the response body, writes it to a temp file under /tmp/wpc-*/cfg-*.js , and require() s it — running arbitrary attacker-controlled JavaScript inside the installer's Node process with the installer's privileges. The remote endpoint is concealed as a hex literal decoded with Buffer.from(..., 'hex').toString() to evade plain-text URL scanners, and the dropper is detached and unref'd to hide its activity. The package's advertised identity is also a cover story: the name and description claim it is a Vite configuration plugin, but the declared repository points at webpack-tools/webpack-cache-plugin , the main module exports a WebpackCachePlugin class, and the only install-time behavior is the dropper. Anyone running npm install vite-config-optimizer (directly or transitively) executes whatever bytes the paste host serves at request time.

Source: amazon-inspector (f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f)