{"id":"MAL-2026-10619","summary":"Malicious code in @vite-js/vui (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (89dd59b0cc2b2931e47b1822fa705eba41767d28ae89bce2e277254377dd9a0a)\nPackage publishes under @vite-js/vui while impersonating the official vite package: package.json sets author \"Evan You\", description \"Native-ESM powered web dev build tool\", repository github.com/vitejs/vite.git, and bin name \"vite\" mapped to bin/vite.js. bin/vite.js is the legitimate Vite bootstrapper with an obfuscated trailer appended after the normal start() call: a shuffle-decoder resolves the string \"constructor\" (var XVL=Oto[Ywu]), builds a Function from a decoded opaque source blob, and immediately invokes it (var CpK=XVL(HuO,Oto(IHO)); var ARH=CpK(Oto('...')); var hTf=plc(byk,ARH); hTf(3504);). Every invocation of the vite command (npm run dev/build/preview, npx vite) executes the hidden author-supplied code on the developer's machine. devDependencies additionally include @solana/web3.js, axios, socket.io-client, and form-data — libraries consistent with wallet-drainer / C2 exfiltration functionality and not present in upstream Vite.\n","modified":"2026-07-14T21:04:40.998199654Z","published":"2026-07-14T20:47:33Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["7.14.16"],"id":"IN-MAL-2026-010567","import_time":"2026-07-14T20:52:50.38954353Z","modified_time":"2026-07-14T20:47:33Z","sha256":"89dd59b0cc2b2931e47b1822fa705eba41767d28ae89bce2e277254377dd9a0a"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@vite-js/vui/v/7.14.16"}],"affected":[{"package":{"name":"@vite-js/vui","ecosystem":"npm","purl":"pkg:npm/%40vite-js/vui"},"versions":["7.14.16"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"vui-7.14.16.tgz","hashes":{"sha1":"732f15f484077d64168c5edc7794bd4ae817ffe5","sha512_sri":"sha512-epMtlIagTIF4t0FLrWyj4NVcU9e8DAua9Xolz3kHaL6GyZ3465Iujo0Sz2KRAtF1jG+jn/xrypaHZ9Mfe4ZWlA=="}}],"evidence_files":[{"tlsh":"aff16d92c1ec38311710768ef09d0a6b46e24612ad4cc698bb4cfa70bfc651476ca3d9","path":"bin/vite.js","sha256":"6c2578f21e21e8a904bd07d4f01e85e727f4f16bd051f0dca465335a38f1ba7b"},{"path":"package.json","sha256":"e38bd12161d52fec35d2c7dd05a5fec311e04fc13050f878e826664bc633ef00","tlsh":"e0a1cd21cea88da31ad024e9ec790142f13485578e65fc18339d57ad0f4d26f327ebae"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vite-js/vui/MAL-2026-10619.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}