{"id":"MAL-2026-5727","summary":"Malicious code in vite-config-optimizer (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f)\npackage.json declares a postinstall hook `node -e \"require('./loader.js')\"` that auto-executes on every `npm install`. loader.js spawns a detached child Node process running a dropper that hex-decodes a hidden URL (`https://jsonkeeper.com/b/L435A`, an anonymous, mutable JSON paste host), HTTPS-GETs the response body, writes it to a temp file under `/tmp/wpc-*/cfg-*.js`, and `require()`s it — running arbitrary attacker-controlled JavaScript inside the installer's Node process with the installer's privileges. The remote endpoint is concealed as a hex literal decoded with `Buffer.from(..., 'hex').toString()` to evade plain-text URL scanners, and the dropper is detached and unref'd to hide its activity. The package's advertised identity is also a cover story: the name and description claim it is a Vite configuration plugin, but the declared repository points at `webpack-tools/webpack-cache-plugin`, the main module exports a `WebpackCachePlugin` class, and the only install-time behavior is the dropper. Anyone running `npm install vite-config-optimizer` (directly or transitively) executes whatever bytes the paste host serves at request time.\n","modified":"2026-06-13T04:01:39.617338849Z","published":"2026-06-13T03:03:44Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006276","versions":["1.1.4"],"sha256":"d8d7346296470990420a83384ab12bb58bd7cafa17ed5e02fdef81440ab8e4b1","source":"amazon-inspector","modified_time":"2026-06-13T03:03:45Z","import_time":"2026-06-13T03:48:10.829286623Z"},{"id":"IN-MAL-2026-006275","versions":["1.1.4"],"sha256":"f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f","source":"amazon-inspector","modified_time":"2026-06-13T03:03:44Z","import_time":"2026-06-13T03:48:10.800528191Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-config-optimizer/v/1.1.4"}],"affected":[{"package":{"name":"vite-config-optimizer","ecosystem":"npm","purl":"pkg:npm/vite-config-optimizer"},"versions":["1.1.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-optimizer/MAL-2026-5727.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-e8lXxuxuIgwvtYG3+tAHPXAtau9Jms5BiCG+MNtmdLF/ajloPKf0eWEdNZ+Nz7btptzvijydw/PdJlkS48yU5Q==","sha1":"962a8bd6c76db4eb369333a83129d0dc600d30b7"},"filename":"vite-config-optimizer-1.1.4.tgz"}],"evidence_files":[{"path":"loader.js","sha256":"a5ead14cb7532cc465ecd9f3330450e8bd6c35fca6b9d9dd2411344828294e83","tlsh":"d2318a9e1ba52234da70d3d653235426d5a3e6327341e6c0b65c58d20fa2270d2b3dfc"},{"path":"package.json","sha256":"cde41147eec70612446fe9de6d2cb3e7f492ba5539d839dd737b92d05b0ab8a1","tlsh":"95f0812446945e3309e552d94c5152b4f739cf6f05047c4907ab101d8a8e27297ff36e"}],"ips":["64.227.108.217","104.16.11.34","147.189.174.8","104.16.4.34","104.16.212.131","10.1.0.2"],"domains":["jsonkeeper.com"]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}