{"id":"MAL-2026-6088","summary":"Malicious code in vite-common-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b1d3397d754ffeb3726496769b2f159ce8596b2233b5875afa8f7fbca29ed0fd)\nThe package presents itself as a Vite utility library but its only export, loadFilbetScriptSilently, creates a \u003cscript\u003e element whose src is hardcoded to https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js and appends it to document.documentElement, causing the consuming application to fetch and execute whatever JavaScript that URL currently serves. The URL is unpinned (mutable @main branch), is hosted under a personal GitHub user account unrelated to the package publisher, and has no integrity/SRI check. The shipped dist/index.js is the only file in the package and is heavily mangled with obfuscator.io (string-array decoder, hex identifiers, rotation loop), and package.json's devDependencies include gulp-javascript-obfuscator — confirming the obfuscation is intentional and hides the injector. The export name suffixed 'Silently', the cover-story package name, the obfuscation, and the off-publisher mutable code source jointly indicate a remote-code-execution dropper aimed at the downstream web application's origin and its users.\n","modified":"2026-06-17T22:46:51.950397306Z","published":"2026-06-17T22:33:52Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006958","modified_time":"2026-06-17T22:33:58Z","source":"amazon-inspector","import_time":"2026-06-17T22:38:22.614222187Z","versions":["1.0.5"],"sha256":"1cee011bd6bf55f3c74e2e42c15a9df8f1f7974308da228087ba019c3e5cd831"},{"modified_time":"2026-06-17T22:33:52Z","id":"IN-MAL-2026-006956","source":"amazon-inspector","import_time":"2026-06-17T22:38:22.387689707Z","versions":["1.0.4"],"sha256":"b1d3397d754ffeb3726496769b2f159ce8596b2233b5875afa8f7fbca29ed0fd"},{"modified_time":"2026-06-17T22:33:53Z","id":"IN-MAL-2026-006957","source":"amazon-inspector","import_time":"2026-06-17T22:38:22.509457726Z","versions":["1.0.3"],"sha256":"c989aa0727b9dd8a6ee9cc42b851dcea293df2ea4129284d43b4476461d91bcb"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-common-utils/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-common-utils/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/vite-common-utils/v/1.0.3"}],"affected":[{"package":{"name":"vite-common-utils","ecosystem":"npm","purl":"pkg:npm/vite-common-utils"},"versions":["1.0.5","1.0.4","1.0.3"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"0375e5987c718eaca90a7297d0a3e2561014da32","sha512_sri":"sha512-lEZIrcfysLQ4EKuiQzhUnJ5qFZb49pe6maCNWW3yqCSYWZ5StX5fGEITNqYq1I88ylnUcsgFIAH9IwXYJbeaxQ=="},"filename":"vite-common-utils-1.0.5.tgz"}],"evidence_files":[{"path":"dist/index.js","tlsh":"18313a952d40ad9063964fbe7677f1d8c266dc7e28d508c9e0a979c87d20a30f4e2774","sha256":"f0ab475fbfa816f3a76bd4c314c16999ab9f8d349147605b4b083f7b29fe6a29"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vite-common-utils/MAL-2026-6088.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}