registry  /  vite-pwa-config  /  1.1.2

vite-pwa-config@1.1.2

config json for Vite

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Confirmed user-invoked remote code execution. The exported configJson helper launches a detached helper that downloads JavaScript from jsonkeeper and executes it with require access.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports and calls configJson from the package, as shown in README usage
Impact
Arbitrary remote payload execution in the consuming project environment
Mechanism
detached child_process spawn plus remote JavaScript eval
Attack narrative
A consuming project following the README calls configJson in Vite config. That function spawns a detached node process to run dist/client/dev/viteopt.js. The helper fetches a value from jsonkeeper using a custom header, constructs a Function with require access, and executes the downloaded string, giving the remote endpoint arbitrary code execution in the developer/build environment.
Rationale
The suspicious primitives are not package-aligned: a PWA config plugin has no legitimate need to fetch and execute remote JavaScript from jsonkeeper through a detached helper. Although there is no install hook, the documented exported API activates a concrete malicious RCE path.
Evidence
package.jsonREADME.mddist/index.jsdist/index.mjsdist/client/dev/viteopt.js
Network endpoints1
www.jsonkeeper.com/b/Q2ASJ

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • dist/index.js exports configJson; calling it spawns detached node on dist/client/dev/viteopt.js
  • dist/client/dev/viteopt.js GETs https://www.jsonkeeper.com/b/Q2ASJ with x-secret-key header
  • dist/client/dev/viteopt.js reads response.data.value and executes it via new Function("require", result)
  • README.md instructs users to import/call configJson, making the remote execution path user-facing
  • Package appears to mimic vite-plugin-pwa naming/docs while adding unrelated remote code execution
Evidence against
  • package.json has no npm lifecycle hooks, so attack is not install-time
  • Most PWA/workbox code in dist/index.js appears package-aligned
  • No local credential harvesting code is visible before the remote payload executes
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 166 KB of source, external domains: vite-pwa-org.netlify.app, www.jsonkeeper.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
1252// src/context.ts L1253: var import_node_child_process = require("child_process"); L1254: var import_node_fs5 = require("fs");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1252
48Cross-file remote execution chain: dist/index.js spawns dist/client/dev/viteopt.js; helper contains network access plus dynamic code execution. L48: supportLevel = 0; L49: if (globalVar.process && globalVar.process.env && globalVar.process.stdout) { L50: const { FORCE_COLOR, NODE_DISABLE_COLORS, NO_COLOR, TERM, COLORTERM } = globalVar.process.env; ... L57: } else if ("CI" in globalVar.process.env && [ L58: "TRAVIS", L59: "CIRCLECI", ... L309: try { L310: import.meta.hot.send('${DEV_READY_NAME}'); L311: } catch (e) { ... L366: Configure "${prefix}.maximumFileSizeToCacheInBytes" to change the limit: the default value is 2 MiB. L367: Check https://vite-pwa-org.netlify.app/guide/faq.html#missing-assets-from-sw-precache-manifest for more information. L368: Assets exceeding the limit:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L48
dist/client/dev/viteopt.jsView file
26// Function.constructor is the same as the Function constructor L27: const handler = new Function("require", result); L28: handler(require);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/client/dev/viteopt.jsView on unpkg · L26
dist/index.mjsView file
156import { fileURLToPath } from "node:url"; L157: var _dirname = typeof __dirname !== "undefined" ? __dirname : dirname(fileURLToPath(import.meta.url)); L158: var require2 = createRequire(_dirname); ... L367: // src/context.ts L368: import { spawn } from "node:child_process"; L369: import { readFileSync } from "node:fs"; ... L417: const _dirname2 = typeof __dirname !== "undefined" ? __dirname : dirname2(fileURLToPath2(import.meta.url)); L418: const { version } = JSON.parse( L419: readFileSync(resolve3(_dirname2, "../package.json"), "utf-8") L420: ); ... L560: res.setHeader("Content-Type", "application/manifest+json"); L561: res.write(generateWebManifestFile(options), "utf-8");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.mjsView on unpkg · L156

Findings

3 High2 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/client/dev/viteopt.js
LowWeak Cryptodist/index.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings