registry  /  vite-pwa-config  /  1.1.1

vite-pwa-config@1.1.1

config json for Vite

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10092 confirms this npm version as malicious. Package `vite-pwa-config` impersonates the popular `vite-plugin-pwa` (antfu) — the README instructs users to import `configJson` from `vite-plugin-pwa`, and package metadata reuses that project's funding link, badges, and banner. When the exported `configJson`/`configField` is invoked from a project's `vite.config`, `dist/index.cjs`/`index.mjs` spawns a detached `node` child (`stdio:"ignore"`, `child.unref()`)...

Advisory
MAL-2026-10092
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in vite-pwa-config (npm)
Details
Package `vite-pwa-config` impersonates the popular `vite-plugin-pwa` (antfu) — the README instructs users to import `configJson` from `vite-plugin-pwa`, and package metadata reuses that project's funding link, badges, and banner. When the exported `configJson`/`configField` is invoked from a project's `vite.config`, `dist/index.cjs`/`index.mjs` spawns a detached `node` child (`stdio:"ignore"`, `child.unref()`) running the bundled `dist/client/dev/viteopt.js`. That helper fetches a JavaScript string from `https://www.jsonkeeper.com/b/FNOBS` via axios and passes it to `new Function('require', s)(require)`, giving the anonymous remote endpoint arbitrary code execution in the developer's build environment with full `require` access. The remote URL is disguised behind a local `process = { env: { DEV_API_URL:..., DEV_SECREDT:..., DEV_PREFIX:... } }` shadow object to make the fetch look like ordinary env-driven configuration. Detached/silenced child spawning plus the cover-story env shim are deliberate evasion of casual review, and jsonkeeper.com is a mutable, anonymous paste host — today's content can be swapped for any payload at any time. This is a typosquat lure carrying an unpinned remote-fetch-and-eval dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms vite-pwa-config@1.1.1 as malicious (MAL-2026-10092): Malicious code in vite-pwa-config (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory