registry  /  vite-config-field  /  1.1.0

vite-config-field@1.1.0

OSV Malicious Advisory

scanned 9d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5936 confirms this npm version as malicious. vite-config-field@1.1.0 impersonates the legitimate vite-plugin-pwa package (README copies its banner/badges, funding field points at antfu's GitHub Sponsors, and the package re-exports VitePWA alongside the attacker-introduced configFields helper). The ESM entry dist/index.js exposes a configFields(userOpt) function which, when called from a Vite config (as the README instructs), detached-spawns `node...

Advisory
MAL-2026-5936
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in vite-config-field (npm)
Details
vite-config-field@1.1.0 impersonates the legitimate vite-plugin-pwa package (README copies its banner/badges, funding field points at antfu's GitHub Sponsors, and the package re-exports VitePWA alongside the attacker-introduced configFields helper). The ESM entry dist/index.js exposes a configFields(userOpt) function which, when called from a Vite config (as the README instructs), detached-spawns `node dist/client/dev/reactopt.js` with stdio ignored and unref'd to hide the child from the developer. dist/client/dev/reactopt.js (lines 21-23) fetches https://www.jsonkeeper.com/b/DDC6J with header `x-secret-key: _`, reads the response's `data.Cookie` field, and executes it via `new Function.constructor('require', params); handler(require)` — granting the attacker arbitrary Node code execution with require injected, on any developer or build machine that imports the package and invokes configFields(). The CJS entry dist/index.cjs intentionally omits this payload, so reviewers inspecting `main` see clean code while modern ESM toolchains that resolve via `module`/`import` get the dropper. The fetched payload host (jsonkeeper.com) is a mutable public paste-bin-like service, so the executed code can change at any time. ## Source: ghsa-malware (9f3a3a13cccda063a98a0048217c3db7c09659ba943668736368cfff187ad4b4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms vite-config-field@1.1.0 as malicious (MAL-2026-5936): Malicious code in vite-config-field (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory