npm

vite-pwa-config @1.1.2

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10092

Ecosystem

npm

Summary

Package vite-pwa-config impersonates the popular vite-plugin-pwa (antfu) — the README instructs users to import configJson from vite-plugin-pwa , and package metadata reuses that project's funding link, badges, and banner. When the exported configJson / configField is invoked from a project's vite.config , dist/index.cjs / index.mjs spawns a detached node child ( stdio:"ignore" , child.unref() ) running the bundled dist/client/dev/viteopt.js . That helper fetches a JavaScript string from https://www.jsonkeeper.com/b/FNOBS via axios and passes it to new Function('require', s)(require) , giving the anonymous remote endpoint arbitrary code execution in the developer's build environment with full require access. The remote URL is disguised behind a local process = { env: { DEV_API_URL:..., DEV_SECREDT:..., DEV_PREFIX:... } } shadow object to make the fetch look like ordinary env-driven configuration. Detached/silenced child spawning plus the cover-story env shim are deliberate evasion of casual review, and jsonkeeper.com is a mutable, anonymous paste host — today's content can be swapped for any payload at any time. This is a typosquat lure carrying an unpinned remote-fetch-and-eval dropper.

Source: amazon-inspector (bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.