{"id":"MAL-2026-5936","summary":"Malicious code in vite-config-field (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58)\nvite-config-field@1.1.0 impersonates the legitimate vite-plugin-pwa package (README copies its banner/badges, funding field points at antfu's GitHub Sponsors, and the package re-exports VitePWA alongside the attacker-introduced configFields helper). The ESM entry dist/index.js exposes a configFields(userOpt) function which, when called from a Vite config (as the README instructs), detached-spawns `node dist/client/dev/reactopt.js` with stdio ignored and unref'd to hide the child from the developer. dist/client/dev/reactopt.js (lines 21-23) fetches https://www.jsonkeeper.com/b/DDC6J with header `x-secret-key: _`, reads the response's `data.Cookie` field, and executes it via `new Function.constructor('require', params); handler(require)` — granting the attacker arbitrary Node code execution with require injected, on any developer or build machine that imports the package and invokes configFields(). The CJS entry dist/index.cjs intentionally omits this payload, so reviewers inspecting `main` see clean code while modern ESM toolchains that resolve via `module`/`import` get the dropper. The fetched payload host (jsonkeeper.com) is a mutable public paste-bin-like service, so the executed code can change at any time.\n","modified":"2026-06-17T06:02:05.572960388Z","published":"2026-06-16T22:20:36Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-16T23:03:43.587411959Z","sha256":"d52d1d84d7572baf6a74539864b64d5b5c803f828fc82a1dae4de2dfebdb986f","modified_time":"2026-06-16T22:20:36Z","id":"IN-MAL-2026-006846","source":"amazon-inspector","versions":["1.1.2"]},{"modified_time":"2026-06-17T04:17:46Z","id":"IN-MAL-2026-006873","import_time":"2026-06-17T05:45:41.584628953Z","sha256":"6032e3a166468dfea9d563751babb56c0684245524dfa2a284263c1acdef1dbc","source":"amazon-inspector","versions":["1.1.3"]},{"modified_time":"2026-06-17T04:17:42Z","id":"IN-MAL-2026-006872","import_time":"2026-06-17T05:45:41.542827147Z","sha256":"8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58","source":"amazon-inspector","versions":["1.1.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-config-field/v/1.1.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-config-field/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-config-field/v/1.1.0"}],"affected":[{"package":{"name":"vite-config-field","ecosystem":"npm","purl":"pkg:npm/vite-config-field"},"versions":["1.1.2","1.1.3","1.1.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"dist/client/dev/reactopt.js","sha256":"dc0c817d1dae202d8736ee2fa5f5cd8eeb6a84c2226809efb4e42e0913e76704","tlsh":"0721124f757ca0a8017013f6672be426f965643f300190d5739c87a21f3655da242fde"},{"path":"package.json","tlsh":"2da1ed26c8a14ce319c035a9ac6d4287e035954bcd96fc0473cc462e0f8e6af61be77e","sha256":"bed54d296fefee1487ca52c82c49024a22cfc46da713d95b549c7469e0873b22"}],"package_integrity":[{"filename":"vite-config-field-1.1.2.tgz","hashes":{"sha1":"19924b02035488737fac3c7c766b38558cdc56b5","sha512_sri":"sha512-SgjwfCuhi5SeYwryLDtzZtoWImWGCM/L6PMMwU6ScMRXsMIbmi2s59pRR0HRgbD7Y1300jIy2FPLkfX55KXPcQ=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-config-field/MAL-2026-5936.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}