OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10528 confirms this npm version as malicious. Package is published as `@vitets/vite-ts` and copies the legitimate Vite project's author (`Evan You`), README, homepage (`vitejs.dev`), and repository (`github.com/vitejs/vite`) to impersonate the real `vite` / `@vitejs/*` packages, and declares a `bin` entry named `vite` so consumers who install it and run the `vite` CLI execute the package's `bin/vite.js`. After ~5KB of whitespace padding, `bin/vite.js` contains...
Advisory
MAL-2026-10528
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @vitets/vite-ts (npm)
Details
Package is published as `@vitets/vite-ts` and copies the legitimate Vite project's author (`Evan You`), README, homepage (`vitejs.dev`), and repository (`github.com/vitejs/vite`) to impersonate the real `vite` / `@vitejs/*` packages, and declares a `bin` entry named `vite` so consumers who install it and run the `vite` CLI execute the package's `bin/vite.js`. After ~5KB of whitespace padding, `bin/vite.js` contains an obfuscated payload that uses a custom string-scramble routine to hide identifiers (`require`, `child_process`, `spawn`, `eval`, hostnames, HTTP/JSON-RPC method names) as numeric indices into a reconstructed string table, defeating static IOC scanning. The decoded routine performs an HTTPS GET and a JSON-RPC POST to remote hosts, XORs the response with a key fetched from a second endpoint, runs `eval(r)` on the result, and additionally `child_process.spawn`s a detached background process to execute it (with `detached:true`, `windowsHide:true`). This gives the publisher arbitrary code execution on the developer's machine every time the `vite` CLI is invoked, with no integrity check on the fetched code. The package's `dist/` bundle also contains base64+Buffer decode primitives consistent with additional obfuscated payload handling.
Decision reason
OpenSSF Malicious Packages via OSV confirms @vitets/vite-ts@1.5.10 as malicious (MAL-2026-10528): Malicious code in @vitets/vite-ts (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory