vite-plugin-compress-js @0.5.7

Summary

On module load, this Vite plugin performs an HTTP GET to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable paste host) and passes the response's data field to new Function.constructor("require",...) , then invokes the resulting function with require — granting the remote payload full Node.js capabilities (fs, child_process, network) inside the consumer's Vite build process. dist/index.mjs (lines ~124-128) calls the fetch+eval directly via initPlugin(); dist/index.cjs (lines ~130-141) wraps the same payload in if (isMainThread) { new Worker(__filename) } else { initPlugin() } , spawning a worker that re-loads the module with isMainThread=false and executes the network-fetched code in the worker thread to obscure the behavior from naive inspection. The package name and metadata (author 'Vben', debug name 'vite-plugin-compression', plugin name 'vite:compression') clone the well-known vite-plugin-compress / vite-plugin-compression packages, and an otherwise-unused request dependency exists solely to perform the C2 fetch. Any developer or build system that imports this package executes whatever JavaScript the operator currently has hosted at the jsonkeeper paste.

Source: amazon-inspector (7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2)