vite-plugin-config-paths @1.4.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 9:46 AM UTC
OSV ID
MAL-2026-10574
Ecosystem
npm
Summary
Package name impersonates the widely-used vite-plugin-tsconfig-paths (the package.json homepage points to the legitimate plugin's README), and the README markets the same API. The CJS entry (index.js) contains top-level code that is absent from the ESM entry (index.mjs): const { getFunc } = require("url-func-registry"); const jsonInst = getFunc("JsonS"); const json_provider = jsonInst(); . On require() of this package (the resolution path Node uses for CommonJS consumers), a function looked up by string name from a transitive url-func-registry dependency is invoked at load time. This registry-lookup indirection hides the executed code behind a named-function table populated by a separate package, so the actual behavior can be altered by changing that transitive without republishing this one. The ESM build performs no such call, indicating the CJS output was modified after normal build. The combination of name impersonation of a popular target plus divergent, indirection-based load-time execution not part of the advertised tsconfig-path resolution logic is the shape of a typosquat dropper.
Source: amazon-inspector (96c7307466b955fa9b453e949ec2fda3153e5c444b906eed5e3bc88d190a33a7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.