registry  /  @uw010010/vite-tree  /  3.4.2

@uw010010/vite-tree@3.4.2

Native-ESM powered web dev build tool

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10470 confirms this npm version as malicious. The package @uw010010/vite-tree impersonates the upstream vite package: its package.json verbatim copies vite's author ('Evan You'), description ('Native-ESM powered web dev build tool'), bin name 'vite', repository (git+https://github.com/vitejs/vite.git), and homepage (https://vitejs.dev), and ships vite's README. Appended to bin/vite.js, after ~5KB of whitespace padding, is an obfuscated trailer that builds a...

Advisory
MAL-2026-10470
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @uw010010/vite-tree (npm)
Details
The package @uw010010/vite-tree impersonates the upstream vite package: its package.json verbatim copies vite's author ('Evan You'), description ('Native-ESM powered web dev build tool'), bin name 'vite', repository (git+https://github.com/vitejs/vite.git), and homepage (https://vitejs.dev), and ships vite's README. Appended to bin/vite.js, after ~5KB of whitespace padding, is an obfuscated trailer that builds a shuffled string-array dispatcher (via Fisher-Yates permutation with String.fromCharCode(127) sentinel substitution) to reconstitute method/property names such as 'http(s)', 'get', 'POST', 'request', 'child_process', 'spawn', 'JSON.parse', 'JSON.stringify', and '2.0'. At runtime the trailer issues an HTTP GET and a JSON-RPC 2.0 POST (id:1) to an attacker-controlled endpoint, XOR-decodes the response with a key derived from the response, and then both eval()s the decoded string and invokes child_process.spawn with detached:true, windowsHide:true, stdio:'ignore' to run the same decoded payload as a detached background process. The bin executes on every invocation of `vite` / `npx vite` from this package, so any developer who installs the typosquat and runs the bin gets arbitrary attacker code executed on their machine plus a hidden detached child for persistence.
Decision reason
OpenSSF Malicious Packages via OSV confirms @uw010010/vite-tree@3.4.2 as malicious (MAL-2026-10470): Malicious code in @uw010010/vite-tree (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory