AI Security Review
scanned 2h ago · by lpm-firewall-aiThe shipped `vite` executable contains an appended, heavily obfuscated runtime payload. Running the package CLI automatically decodes and executes it after normal CLI startup.
OSV Corroboration
OpenSSF/OSVDecision evidence
public snapshot- `bin/vite.js` appends an obfuscated IIFE after the legitimate CLI.
- The appended code decodes concealed strings and invokes the decoded payload via `hTf(3504)`.
- The payload runs whenever the declared `vite` bin is executed.
- `package.json` exposes `bin/vite.js` as the `vite` command.
- Only `prepublishOnly` exists; the payload is runtime-triggered, not an install hook.
- No preinstall, install, or postinstall lifecycle hook.
- No plaintext external endpoint is visible in the inspected payload.
Source & flagged code
14 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17Package source references child process execution.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17Package source references shell execution.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L45119Package source references dynamic code evaluation.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17558Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkgPackage source references weak cryptographic algorithms.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17Package source references dynamic require/import behavior.
dist/node/runtime.jsView on unpkg · L911Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
bin/vite.jsView on unpkg · L61Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/node-cjs/publicUtils.cjsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/node/chunks/dep-BkYu-SNl.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/node/cli.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/node/chunks/dep-SDtFYyy1.jsView on unpkg