OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10526 confirms this npm version as malicious. Package `@vite-pro/vite-ui` impersonates the official `vite` package: `package.json` declares author `Evan You`, points `repository` at `github.com/vitejs/vite`, sets `homepage` to `vitejs.dev`, ships the upstream Vite README, and exposes a `bin` named `vite`. Appended to the end of `bin/vite.js`, after the legitimate CLI bootstrap and a large block of trailing whitespace, is an obfuscated IIFE that constructs a...
Advisory
MAL-2026-10526
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @vite-pro/vite-ui (npm)
Details
Package `@vite-pro/vite-ui` impersonates the official `vite` package: `package.json` declares author `Evan You`, points `repository` at `github.com/vitejs/vite`, sets `homepage` to `vitejs.dev`, ships the upstream Vite README, and exposes a `bin` named `vite`. Appended to the end of `bin/vite.js`, after the legitimate CLI bootstrap and a large block of trailing whitespace, is an obfuscated IIFE that constructs a string table via a seeded Fisher-Yates shuffle (seed 4606094) to hide endpoints, method names, and constants. The loader then fetches a remote payload over HTTP, XOR-decrypts it with an embedded key, and `eval`s the result. It subsequently fetches a second payload and passes it to `child_process.spawn` with `detached:true`, `stdio:'ignore'`, and `windowsHide:true`, establishing a hidden, long-running process independent of the parent `vite` invocation. The loader runs every time a developer executes `vite`, `npx vite`, or `npm run dev|build`, giving the attacker arbitrary code execution and a persistent background process on the developer machine on each CLI use. The obfuscation technique (seeded string-array shuffle + XOR + eval + detached spawn) matches reported blockchain-C2 loader families.
Decision reason
OpenSSF Malicious Packages via OSV confirms @vite-pro/vite-ui@2.5.10 as malicious (MAL-2026-10526): Malicious code in @vite-pro/vite-ui (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory