{"id":"MAL-2026-10092","summary":"Malicious code in vite-pwa-config (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0)\nPackage `vite-pwa-config` impersonates the popular `vite-plugin-pwa` (antfu) — the README instructs users to import `configJson` from `vite-plugin-pwa`, and package metadata reuses that project's funding link, badges, and banner. When the exported `configJson`/`configField` is invoked from a project's `vite.config`, `dist/index.cjs`/`index.mjs` spawns a detached `node` child (`stdio:\"ignore\"`, `child.unref()`) running the bundled `dist/client/dev/viteopt.js`. That helper fetches a JavaScript string from `https://www.jsonkeeper.com/b/FNOBS` via axios and passes it to `new Function('require', s)(require)`, giving the anonymous remote endpoint arbitrary code execution in the developer's build environment with full `require` access. The remote URL is disguised behind a local `process = { env: { DEV_API_URL:..., DEV_SECREDT:..., DEV_PREFIX:... } }` shadow object to make the fetch look like ordinary env-driven configuration. Detached/silenced child spawning plus the cover-story env shim are deliberate evasion of casual review, and jsonkeeper.com is a mutable, anonymous paste host — today's content can be swapped for any payload at any time. This is a typosquat lure carrying an unpinned remote-fetch-and-eval dropper.\n","modified":"2026-07-09T21:16:56.969885081Z","published":"2026-07-09T18:49:09Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-07-09T19:05:00.455825012Z","id":"IN-MAL-2026-009388","sha256":"bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0","modified_time":"2026-07-09T18:49:09Z","versions":["1.1.1"]},{"source":"amazon-inspector","import_time":"2026-07-09T21:03:50.829717433Z","id":"IN-MAL-2026-009397","sha256":"b2218a7874aeff01d6bb41eb677af428f8864aec1a7979319a1be932d948da46","modified_time":"2026-07-09T20:42:02Z","versions":["1.1.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-pwa-config/v/1.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-pwa-config/v/1.1.2"}],"affected":[{"package":{"name":"vite-pwa-config","ecosystem":"npm","purl":"pkg:npm/vite-pwa-config"},"versions":["1.1.1","1.1.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-pwa-config/MAL-2026-10092.json","indicators":{"evidence_files":[{"sha256":"002ba94ab1ebfc5aae7956529b1a26c6543baa01bf0e024d3d8fa8dea1fc8693","tlsh":"9a21af1e34bc64a8017023f5a73bd822fa69283b314290d9779c87a21f365595242edd","path":"dist/client/dev/viteopt.js"},{"sha256":"91906a91c5648c35cc51e89542825d564b55df7ff14c010caf5c9cf84a8118af","tlsh":"977163e394d855970f109ce6fd08718aea3342eed5c2f080e77a643ad5c0b45423b6dd","path":"README.md"}],"package_integrity":[{"filename":"vite-pwa-config-1.1.1.tgz","hashes":{"sha512_sri":"sha512-X3HqhN2o1RDgw/2RZH8kTnEkACMSIH2PuBqy99hmkcctCOJbMK0iWAymGYyDdlxfyj/Zzds+Soriy85g3R+R5g==","sha1":"2ee132d9ca78a61e667d8e990d9b327c87eb5054"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}