OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-7021 confirms this npm version as malicious. Package `@vite-js/ui` impersonates the official `vite` package: package.json declares author 'Evan You', homepage 'https://vitejs.dev', ships an unmodified Vite README and a near-verbatim Vite `dist/` tree, and exposes `bin.vite` pointing at `bin/vite.js` — so any developer who installs this and runs the documented `vite` command executes this package's CLI. Appended to the legitimate Vite bin code in `bin/vite.js`...
Advisory
MAL-2026-7021
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @vite-js/ui (npm)
Details
Package `@vite-js/ui` impersonates the official `vite` package: package.json declares author 'Evan You', homepage 'https://vitejs.dev', ships an unmodified Vite README and a near-verbatim Vite `dist/` tree, and exposes `bin.vite` pointing at `bin/vite.js` — so any developer who installs this and runs the documented `vite` command executes this package's CLI. Appended to the legitimate Vite bin code in `bin/vite.js` is a heavily obfuscated IIFE that reconstructs strings from a packed blob via a custom shuffler (keyed by 4606094, with `%`/`#1`/`#0` substitutions) to hide the identifiers `http`, `child_process`, `JSON`, `eval`, and `spawn`. At runtime it issues a JSON-RPC HTTP fetch, XOR-decodes the response using a key derived from a remote field, passes the decoded buffer to `eval(r)`, and then calls `child_process.spawn` with `{detached:true, stdio:..., windowsHide:true}` on a second fetched-and-decoded payload — a hidden, detached process that outlives the CLI invocation and provides a persistent execution channel. A short time-gate throttles re-trigger. Legitimate Vite has no such bootstrap; the custom string-array obfuscator covers only the network/eval/spawn surface, which is the canonical dropper-plus-backdoor shape.
Decision reason
OpenSSF Malicious Packages via OSV confirms @vite-js/ui@7.15.10 as malicious (MAL-2026-7021): Malicious code in @vite-js/ui (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory