MAL-2026-10619
Malicious code in @vite-js/vui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (89dd59b0cc2b2931e47b1822fa705eba41767d28ae89bce2e277254377dd9a0a) Package publishes under @vite-js/vui while impersonating the official vite package: package.json sets author "Evan You", description "Native-ESM powered web dev build tool", repository github.com/vitejs/vite.git, and bin name "vite" mapped to bin/vite.js. bin/vite.js is the legitimate Vite bootstrapper with an obfuscated trailer appended after the normal start() call: a shuffle-decoder resolves the string "constructor" (var XVL=Oto[Ywu]), builds a Function from a decoded opaque source blob, and immediately invokes it (var CpK=XVL(HuO,Oto(IHO)); var ARH=CpK(Oto('...')); var hTf=plc(byk,ARH); hTf(3504);). Every invocation of the vite command (npm run dev/build/preview, npx vite) executes the hidden author-supplied code on the developer's machine. devDependencies additionally include @solana/web3.js, axios, socket.io-client, and form-data — libraries consistent with wallet-drainer / C2 exfiltration functionality and not present in upstream Vite.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @vite-js/vui (npm). Pin to a known-safe version or switch to an alternative.