VDB
KO

MAL-2026-6709

Malicious code in vega-lite-next (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c98ee24f91eaab2bc8360306a75519ae167dcbc3c7bd38cc395fbaa9590f4cd) Package name impersonates the popular vega-lite library but ships no vega functionality — only a preinstall exfiltration stub. package.json declares `preinstall: node index.js`. On `npm install`, index.js collects os.hostname(), platform, arch, os.userInfo() (username/uid/gid/shell), homedir, cwd, and the output of `whoami` and `id` executed via child_process, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://kbztayu6auucui8s9ucz2mujkaq1er2g.oastify.com/detox56. The combination of typosquat naming, absence of library functionality, automatic preinstall execution, shell reconnaissance, and an attacker-controlled exfil endpoint is an unambiguous supply-chain attack against developers who mistype or are tricked into installing the lookalike.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vega-lite-next

No fixed version published yet for vega-lite-next (npm). Pin to a known-safe version or switch to an alternative.

References