vite-json-pwa @1.1.2
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2026-6969
Ecosystem
npm
Summary
vite-json-pwa@1.1.2 impersonates the popular vite-plugin-pwa (mirroring its VitePWA/cachePreset/configField API surface) and injects a remote code loader into the plugin's runtime path. The exported configField API invokes getUseropt, which uses child_process.spawn to launch a detached node process running dist/client/dev/reactopt.js with stdio:'ignore' and child.unref(), hiding output and outliving the parent. reactopt.js performs an HTTP GET to https://www.jsonkeeper.com/b/TUJAY (an anonymous, author-mutable paste host disguised behind variable names DEV_API_KEY / DEV_SECRET_KEY and a shadow process.env object), takes the returned string body, wraps it in new Function('require', s), and invokes it with the host's require — giving attacker-controlled JavaScript full Node privileges on the developer/build machine. The reactopt.js name and client/dev/ path are cover-story camouflage; a Vite plugin has no legitimate reason to fork a hidden detached node child that eval's remote paste-bin content. Any consumer whose Vite config invokes the plugin's configField will pull and execute whatever JavaScript the attacker currently hosts at jsonkeeper.com/b/TUJAY.
Source: amazon-inspector (08b3a45c4ee8248fa8a7a4fbf117192aefce7a29d4575b4b498e7271878ab035)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.