OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5936 confirms this npm version as malicious. vite-config-field@1.1.0 impersonates the legitimate vite-plugin-pwa package (README copies its banner/badges, funding field points at antfu's GitHub Sponsors, and the package re-exports VitePWA alongside the attacker-introduced configFields helper). The ESM entry dist/index.js exposes a configFields(userOpt) function which, when called from a Vite config (as the README instructs), detached-spawns `node...
Decision evidence
public snapshotSource & flagged code
7 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L48Source fingerprint signature matches a known malicious package signature; route for source-aware review.
dist/index.jsView on unpkgA single source file combines environment access, network access, and code or shell execution with blocking evidence.
dist/client/dev/reactopt.jsView on unpkg · L14Source appears to send environment or credential material to an external endpoint.
dist/client/dev/reactopt.jsView on unpkg · L5Package source references dynamic code evaluation.
dist/client/dev/reactopt.jsView on unpkg · L26Package source references weak cryptographic algorithms.
dist/index.mjsView on unpkg · L156