registry  /  react-next-vite  /  1.2.9

react-next-vite@1.2.9

This document describes the management of vulnerabilities for the project and all modules within the organization.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Confirmed runtime remote code execution. Calling the exported middleware starts a detached child process that downloads JavaScript from an IPFS gateway and executes it with require access.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Application imports package and invokes the exported middleware/factory function
Impact
Arbitrary remote JavaScript execution in the consuming project environment
Mechanism
detached child process remote payload loader
Attack narrative
The package main entry is not a normal React/Vite module. When its exported middleware factory is called, index.js spawns a detached Node process running lib/caller.js. That child fetches a remote object from a mypinata.cloud IPFS URL, reads data.cookie as code, constructs a Function with require access, and executes it. The child is unrefed with ignored stdio, making the payload run outside the parent request flow.
Rationale
Static source inspection confirms a package main-path loader that downloads and executes remote code in a detached child process; this is concrete malicious behavior even without install hooks. The pino-like surrounding files do not explain or justify the remote Function execution.
Evidence
package.jsonindex.jslib/caller.jslib/const.jsfile.js
Network endpoints1
bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js main exports middleware that spawns detached node process for ./lib/caller.js when invoked
  • lib/caller.js fetches code from mypinata.cloud IPFS URL with axios
  • lib/caller.js executes fetched response data.cookie via new Function.constructor("require", s)
  • Spawned child uses stdio ignore and child.unref(), hiding remote payload execution from caller
  • Package is branded as react-next-vite but bundled docs/source mimic pino, with malicious loader added to main path
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • Remote code is not fetched at mere require-time; exported function must be invoked
  • No local credential harvesting code visible before remote payload executes
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.4 KB of source, external domains: bronze-improved-gibbon-411.mypinata.cloud, github.com

Source & flagged code

2 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 2ad508fc9ea2882e signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = webpack-patch@1.1.8 matchedPath = index.js matchedIdentity = npm:d2VicGFjay1wYXRjaA:1.1.8 similarity = 1.000 shingleOverlap = 12 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

2 High3 Medium3 Low
HighEval
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings