AI Security Review
scanned 3h ago · by lpm-firewall-aiRunning the exported `vite` executable evaluates an opaque, self-decoding payload appended to the CLI. The payload constructs and invokes hidden code rather than serving Vite functionality.
Decision evidence
public snapshot- `bin/vite.js` appends a 7.5KB obfuscated payload after the normal CLI.
- The appended code decodes `constructor`, builds a function from hidden strings, and invokes it during module evaluation.
- The payload aliases `require`, `module`, `__dirname`, and `__filename` onto globals before executing.
- The `vite` bin is exposed by `package.json`, so any `vite` CLI invocation triggers the hidden payload.
- `package.json` has no `preinstall`, `install`, or `postinstall` hook.
- The visible prefix of `bin/vite.js` is a normal Vite CLI bootstrap.
Source & flagged code
10 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17Package source references child process execution.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17Package source references shell execution.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L45119Package source references dynamic code evaluation.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17558Source fingerprint signature matches a known malicious package signature; route for source-aware review.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkgPackage source references weak cryptographic algorithms.
dist/node/chunks/dep-Cy9twKMn.jsView on unpkg · L17Package source references dynamic require/import behavior.
dist/node/runtime.jsView on unpkg · L911Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
bin/vite.jsView on unpkg · L61