vite-json-config @1.0.5

Summary

The package presents itself as a vite/tsconfig path helper and clones the public API of tsconfig-paths (createMatchPath, matchFromAbsolutePaths, register, loadConfig). A new exported configJson entry point spawns a detached node lib/mapProps.js child process via child_process.spawn(..., { detached: true, stdio: 'ignore' }) (lib/config-loader.js). lib/mapProps.js performs an HTTPS GET to https://www.jsonkeeper.com/b/5IZTJ — an anonymous, mutable JSON paste host — and passes the response's Cookie field directly to new Function('require', s)(require) , giving the publisher arbitrary code execution inside the consumer process with full require access. The fetch URL and header are concealed by shadowing process with a local object whose env uses cover-story names (DEV_API_KEY, DEV_SECRET_KEY, DEV_SECRET_VALUE) that actually hold the C2 URL and HTTP header. There is no integrity check on the fetched payload; the paste content can be changed at any time by whoever controls the jsonkeeper.com entry. Combined with the cloned legitimate-package API surface, this is a deliberate supply-chain dropper, not a coding mistake.

Source: amazon-inspector (9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd)