OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-7021 confirms this npm version as malicious. Package @vite-js/ui@7.15.16 impersonates the legitimate `vite` package: it copies the author name, homepage (vitejs.dev), README, and exposes a `bin` named `vite`, but publishes under an unrelated scope. Its `bin/vite.js` contains the legitimate Vite launcher followed by an appended obfuscated IIFE that uses a seeded permutation cipher and placeholder-swap encoding to reconstruct the Function constructor name and a...
Advisory
MAL-2026-7021
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @vite-js/ui (npm)
Details
Package @vite-js/ui@7.15.16 impersonates the legitimate `vite` package: it copies the author name, homepage (vitejs.dev), README, and exposes a `bin` named `vite`, but publishes under an unrelated scope. Its `bin/vite.js` contains the legitimate Vite launcher followed by an appended obfuscated IIFE that uses a seeded permutation cipher and placeholder-swap encoding to reconstruct the Function constructor name and a decoded payload string, then invokes `Function(...)` with the decoded body — an eval-equivalent RCE primitive that fires whenever a developer runs the `vite` CLI provided by this package. The obfuscation shape (custom character-shuffle descrambler, hex/comma-obfuscated string tables) is combined with runtime dependencies uncharacteristic of a build tool (`@solana/web3.js`, `axios`, `socket.io-client`, `form-data`), consistent with the wallet-stealer / exfiltration family seen in prior npm typosquat incidents. Running `npx vite` or the installed `vite` bin from this package executes attacker-controlled code on the developer's machine.
Decision reason
OpenSSF Malicious Packages via OSV confirms @vite-js/ui@7.15.16 as malicious (MAL-2026-7021): Malicious code in @vite-js/ui (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory