registry  /  vite-pwa-config  /  1.1.3

vite-pwa-config@1.1.3

config json for Vite

AI Security Review

scanned 4h ago · by lpm-firewall-ai

A user-invoked exported config helper launches a hidden Node subprocess that fetches and executes remote JavaScript. This is concrete remote payload execution unrelated to Vite PWA configuration.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
User follows README or otherwise calls configJson/configField from the package.
Impact
Remote code can run with the importing project's Node privileges, including filesystem and environment access via require.
Mechanism
detached child_process spawn plus remote new Function execution
Attack narrative
Calling the exported configJson/configField helper spawns a detached Node process for dist/client/dev/viteopt.js. That helper contacts jsonkeeper, extracts response.data.gains, constructs it as a Function with require access, and executes it while suppressing subprocess visibility via ignored stdio/unref.
Rationale
Source inspection confirms an exported, README-advertised path to remote JavaScript execution via a hidden helper process. Absence of install hooks reduces automatic install-time impact but does not make the package safe.
Evidence
package.jsonREADME.mddist/index.jsdist/index.mjsdist/client/dev/viteopt.js
Network endpoints1
www.jsonkeeper.com/b/Q2ASJ

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • dist/index.js exports configJson, which calls getUseropt(defaultOptions).
  • dist/index.js getUseropt spawns detached node helper ./client/dev/viteopt.js with stdio ignored.
  • dist/client/dev/viteopt.js GETs https://www.jsonkeeper.com/b/Q2ASJ using a hardcoded header.
  • dist/client/dev/viteopt.js reads response.data.gains, builds new Function("require", result), and executes it.
  • README.md instructs users to import and call configJson({}), activating the malicious export.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Most dist/index.js and dist/index.mjs content is package-aligned Vite PWA/workbox functionality.
  • No local credential harvesting strings were confirmed in static package source before the remote payload executes.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 166 KB of source, external domains: vite-pwa-org.netlify.app, www.jsonkeeper.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
1252// src/context.ts L1253: var import_node_child_process = require("child_process"); L1254: var import_node_fs5 = require("fs");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1252
48Cross-file remote execution chain: dist/index.js spawns dist/client/dev/viteopt.js; helper contains network access plus dynamic code execution. L48: supportLevel = 0; L49: if (globalVar.process && globalVar.process.env && globalVar.process.stdout) { L50: const { FORCE_COLOR, NODE_DISABLE_COLORS, NO_COLOR, TERM, COLORTERM } = globalVar.process.env; ... L57: } else if ("CI" in globalVar.process.env && [ L58: "TRAVIS", L59: "CIRCLECI", ... L309: try { L310: import.meta.hot.send('${DEV_READY_NAME}'); L311: } catch (e) { ... L366: Configure "${prefix}.maximumFileSizeToCacheInBytes" to change the limit: the default value is 2 MiB. L367: Check https://vite-pwa-org.netlify.app/guide/faq.html#missing-assets-from-sw-precache-manifest for more information. L368: Assets exceeding the limit:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L48
matchType = normalized_sha256 matchedPackage = vite-pwa-config@1.1.2 matchedPath = dist/index.js matchedIdentity = npm:dml0ZS1wd2EtY29uZmln:1.1.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 5f633b7b77f56d6c signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = vite-pwa-config@1.1.2 matchedPath = dist/index.js matchedIdentity = npm:dml0ZS1wd2EtY29uZmln:1.1.2 similarity = 1.000 shingleOverlap = 7 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/index.jsView on unpkg
dist/client/dev/viteopt.jsView file
26// Function.constructor is the same as the Function constructor L27: const handler = new Function("require", result); L28: handler(require);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/client/dev/viteopt.jsView on unpkg · L26
dist/index.mjsView file
156import { fileURLToPath } from "node:url"; L157: var _dirname = typeof __dirname !== "undefined" ? __dirname : dirname(fileURLToPath(import.meta.url)); L158: var require2 = createRequire(_dirname); ... L367: // src/context.ts L368: import { spawn } from "node:child_process"; L369: import { readFileSync } from "node:fs"; ... L417: const _dirname2 = typeof __dirname !== "undefined" ? __dirname : dirname2(fileURLToPath2(import.meta.url)); L418: const { version } = JSON.parse( L419: readFileSync(resolve3(_dirname2, "../package.json"), "utf-8") L420: ); ... L560: res.setHeader("Content-Type", "application/manifest+json"); L561: res.write(generateWebManifestFile(options), "utf-8");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.mjsView on unpkg · L156

Findings

5 High2 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
HighKnown Malware Source Similaritydist/index.js
HighKnown Malware Source Fingerprint Signaturedist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/client/dev/viteopt.js
LowWeak Cryptodist/index.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings