{"id":"MAL-2026-4705","summary":"Malicious code in vite-json-config (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd)\nThe package presents itself as a vite/tsconfig path helper and clones the public API of tsconfig-paths (createMatchPath, matchFromAbsolutePaths, register, loadConfig). A new exported `configJson` entry point spawns a detached `node lib/mapProps.js` child process via `child_process.spawn(..., { detached: true, stdio: 'ignore' })` (lib/config-loader.js). lib/mapProps.js performs an HTTPS GET to https://www.jsonkeeper.com/b/5IZTJ — an anonymous, mutable JSON paste host — and passes the response's `Cookie` field directly to `new Function('require', s)(require)`, giving the publisher arbitrary code execution inside the consumer process with full `require` access. The fetch URL and header are concealed by shadowing `process` with a local object whose `env` uses cover-story names (DEV_API_KEY, DEV_SECRET_KEY, DEV_SECRET_VALUE) that actually hold the C2 URL and HTTP header. There is no integrity check on the fetched payload; the paste content can be changed at any time by whoever controls the jsonkeeper.com entry. Combined with the cloned legitimate-package API surface, this is a deliberate supply-chain dropper, not a coding mistake.\n","modified":"2026-05-26T06:03:02.797516320Z","published":"2026-05-20T20:40:46Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003611","modified_time":"2026-05-20T20:40:46Z","versions":["1.0.5"],"sha256":"9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd","source":"amazon-inspector","import_time":"2026-05-26T05:50:57.996342934Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-json-config/v/1.0.5"}],"affected":[{"package":{"name":"vite-json-config","ecosystem":"npm","purl":"pkg:npm/vite-json-config"},"versions":["1.0.5"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"db7e59a7d520f447d8a24d5e50d92e1594cc15fc","sha512_sri":"sha512-OTe9y2uy2q8DAFRU751cFzyBKoSWS5DUZTYvhuwxOb4D/g4x63/fvQlACfwqA3SP5TLeJuXYfLxyJf/ji5Emcg=="},"filename":"vite-json-config-1.0.5.tgz"}],"evidence_files":[{"tlsh":"1c21124f757ca0a8017013f5a72be426f965643f300290d5739cc7a21f3655da182fde","path":"lib/mapProps.js","sha256":"c3c20201b376f76b2f4c08ed64da39f703448f318f584f358007591ad3f9bcd0"},{"tlsh":"5d81435b6ad4a9e600b19b64d62bd016ff702f77230680a2793cd1d41f39844a1e6efa","path":"lib/config-loader.js","sha256":"94c1ab6d8ceb818c37f7cd023dcbf42d4e0513874b9ec3306f1f3b7ad9625c81"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-json-config/MAL-2026-4705.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}