registry  /  vite-pwa-config  /  1.1.4

vite-pwa-config@1.1.4

config json for Vite

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Calling the exported `configJson` function launches a detached helper. That helper downloads and executes arbitrary CommonJS-capable JavaScript from a third-party URL.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
Consumer invokes `configJson` from the package entrypoint.
Impact
Remote code execution with the invoking user's permissions.
Mechanism
Detached child process remotely fetches and evaluates a payload.
Attack narrative
`configJson` invokes `getUseropt`, which spawns `dist/client/dev/viteopt.js` as a detached, unobserved Node process. On load, that helper fetches a value from `www.jsonkeeper.com` and passes it directly to `new Function`, then invokes it with `require`, giving a remote response arbitrary local module access and code execution under the developer account.
Rationale
Source inspection confirms a concrete remote-code-execution chain behind an exported API, not merely static similarity. Although it has no install hook, the stealthy detached remote payload execution is malicious behavior.
Evidence
package.jsondist/index.jsdist/index.mjsdist/client/dev/viteopt.js
Network endpoints1
www.jsonkeeper.com/b/TUJAY

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/index.js` exports `configJson`, which spawns a detached Node process.
  • `dist/client/dev/viteopt.js` fetches `https://www.jsonkeeper.com/b/TUJAY` with Axios.
  • `dist/client/dev/viteopt.js` executes fetched response data with `new Function(...); handler(require)`.
  • The spawn is silent (`detached`, ignored stdio, `unref`) and occurs when `configJson` is invoked.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • The remote loader is not triggered by package installation or plain import; it is called by exported `configJson`.
  • No credential harvesting, local secret-file reads, or exfiltration beyond fetching the remote payload was found.
  • Other writes in `dist/index.mjs` generate PWA service-worker artifacts in the consumer project.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 166 KB of source, external domains: vite-pwa-org.netlify.app, www.jsonkeeper.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
1252// src/context.ts L1253: var import_node_child_process = require("child_process"); L1254: var import_node_fs5 = require("fs");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1252
48Cross-file remote execution chain: dist/index.js spawns dist/client/dev/viteopt.js; helper contains network access plus dynamic code execution. L48: supportLevel = 0; L49: if (globalVar.process && globalVar.process.env && globalVar.process.stdout) { L50: const { FORCE_COLOR, NODE_DISABLE_COLORS, NO_COLOR, TERM, COLORTERM } = globalVar.process.env; ... L57: } else if ("CI" in globalVar.process.env && [ L58: "TRAVIS", L59: "CIRCLECI", ... L309: try { L310: import.meta.hot.send('${DEV_READY_NAME}'); L311: } catch (e) { ... L366: Configure "${prefix}.maximumFileSizeToCacheInBytes" to change the limit: the default value is 2 MiB. L367: Check https://vite-pwa-org.netlify.app/guide/faq.html#missing-assets-from-sw-precache-manifest for more information. L368: Assets exceeding the limit:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L48
matchType = normalized_sha256 matchedPackage = vite-pwa-config@1.1.2 matchedPath = dist/index.js matchedIdentity = npm:dml0ZS1wd2EtY29uZmln:1.1.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 5f633b7b77f56d6c signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = vite-pwa-config@1.1.2 matchedPath = dist/index.js matchedIdentity = npm:dml0ZS1wd2EtY29uZmln:1.1.2 similarity = 1.000 shingleOverlap = 7 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/index.jsView on unpkg
dist/client/dev/viteopt.jsView file
26// Function.constructor is the same as the Function constructor L27: const handler = new Function("require", result); L28: handler(require);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/client/dev/viteopt.jsView on unpkg · L26
dist/index.mjsView file
156import { fileURLToPath } from "node:url"; L157: var _dirname = typeof __dirname !== "undefined" ? __dirname : dirname(fileURLToPath(import.meta.url)); L158: var require2 = createRequire(_dirname); ... L367: // src/context.ts L368: import { spawn } from "node:child_process"; L369: import { readFileSync } from "node:fs"; ... L417: const _dirname2 = typeof __dirname !== "undefined" ? __dirname : dirname2(fileURLToPath2(import.meta.url)); L418: const { version } = JSON.parse( L419: readFileSync(resolve3(_dirname2, "../package.json"), "utf-8") L420: ); ... L560: res.setHeader("Content-Type", "application/manifest+json"); L561: res.write(generateWebManifestFile(options), "utf-8");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.mjsView on unpkg · L156

Findings

5 High2 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
HighKnown Malware Source Similaritydist/index.js
HighKnown Malware Source Fingerprint Signaturedist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/client/dev/viteopt.js
LowWeak Cryptodist/index.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings