vite-plugin-compress-js @0.5.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5713
Ecosystem
npm
Summary
On module load, the package's initPlugin() function performs an HTTP GET to https://www.jsonkeeper.com/b/OTOAQ (an anonymous public JSON-paste host) and passes the response body's .data field to new Function.constructor('require',...)(require) , executing attacker-controlled JavaScript with full Node require access on the developer/build machine. The ESM entry invokes initPlugin() at top level; the CJS entry spawns a worker_threads Worker on __filename so the same fetch-and-exec runs in the worker. Evidence is in dist/index.cjs lines 148-156. The package name vite-plugin-compress-js mimics the legitimate vite-plugin-compress / vite-plugin-compression packages and copies their description ( Use gzip or brotli to compress resources. ) and surface API (gzip/brotli on closeBundle) as cover for the dropper. Runtime dependencies ( express , request , sqlite3 ) are inconsistent with a compression plugin; request is the transport used by the dropper. Any project that adds this plugin to its Vite config triggers remote code execution at build time.
Source: amazon-inspector (ba5cca8be2f19842c304f355a2219256b3af26e9df385ec314ea6899621110aa)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.