registry  /  vite-plugin-config-paths  /  1.4.2

vite-plugin-config-paths@1.4.2

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10574 confirms this npm version as malicious. Package name impersonates the widely-used vite-plugin-tsconfig-paths (the package.json homepage points to the legitimate plugin's README), and the README markets the same API. The CJS entry (index.js) contains top-level code that is absent from the ESM entry (index.mjs): `const { getFunc } = require("url-func-registry"); const jsonInst = getFunc("JsonS"); const json_provider = jsonInst();`...

Advisory
MAL-2026-10574
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in vite-plugin-config-paths (npm)
Details
Package name impersonates the widely-used vite-plugin-tsconfig-paths (the package.json homepage points to the legitimate plugin's README), and the README markets the same API. The CJS entry (index.js) contains top-level code that is absent from the ESM entry (index.mjs): `const { getFunc } = require("url-func-registry"); const jsonInst = getFunc("JsonS"); const json_provider = jsonInst();`. On `require()` of this package (the resolution path Node uses for CommonJS consumers), a function looked up by string name from a transitive `url-func-registry` dependency is invoked at load time. This registry-lookup indirection hides the executed code behind a named-function table populated by a separate package, so the actual behavior can be altered by changing that transitive without republishing this one. The ESM build performs no such call, indicating the CJS output was modified after normal build. The combination of name impersonation of a popular target plus divergent, indirection-based load-time execution not part of the advertised tsconfig-path resolution logic is the shape of a typosquat dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms vite-plugin-config-paths@1.4.2 as malicious (MAL-2026-10574): Malicious code in vite-plugin-config-paths (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory