MAL-2026-10527
Malicious code in @vite-ts/vite-ui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c6076869d73ce328ffd736c9df9d269cd99e505ffc3bfceae5d3f5a633a8c420) Package @vite-ts/vite-ui@6.44.1 impersonates the legitimate vite package: it clones vite's README, declares author 'Evan You', homepage https://vitejs.dev, repository vitejs/vite, and a bin entry mapping `vite` to bin/vite.js. The shipped bin/vite.js contains an obfuscated IIFE that reconstructs a string table from a shuffled blob using the integer seed 4606094 to hide the strings 'https', 'child_process', 'eval', 'POST', '2.0', and the destination URLs. At runtime the payload issues an HTTPS GET to an Ethereum block-explorer URL and a JSON-RPC POST to an Ethereum node, XOR-decodes the hex result to retrieve JavaScript code from an attacker-controlled smart contract (EtherHiding pattern), and executes the retrieved code via eval(r) and via a detached child_process.spawn('node', ['-e',...+r], { detached: true, windowsHide: true }). The fetched bytes are not pinned, not signature-verified, and are mutable by the contract owner, so any consumer invoking the `vite` CLI from this package runs whatever code the attacker currently has staged on-chain. Additional install-time curl invocations and Buffer.from(...,'base64').toString() decode chains are present in the bundled dist files.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @vite-ts/vite-ui (npm). Pin to a known-safe version or switch to an alternative.