MAL-2026-10092
Malicious code in vite-pwa-config (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0) Package `vite-pwa-config` impersonates the popular `vite-plugin-pwa` (antfu) — the README instructs users to import `configJson` from `vite-plugin-pwa`, and package metadata reuses that project's funding link, badges, and banner. When the exported `configJson`/`configField` is invoked from a project's `vite.config`, `dist/index.cjs`/`index.mjs` spawns a detached `node` child (`stdio:"ignore"`, `child.unref()`) running the bundled `dist/client/dev/viteopt.js`. That helper fetches a JavaScript string from `https://www.jsonkeeper.com/b/FNOBS` via axios and passes it to `new Function('require', s)(require)`, giving the anonymous remote endpoint arbitrary code execution in the developer's build environment with full `require` access. The remote URL is disguised behind a local `process = { env: { DEV_API_URL:..., DEV_SECREDT:..., DEV_PREFIX:... } }` shadow object to make the fetch look like ordinary env-driven configuration. Detached/silenced child spawning plus the cover-story env shim are deliberate evasion of casual review, and jsonkeeper.com is a mutable, anonymous paste host — today's content can be swapped for any payload at any time. This is a typosquat lure carrying an unpinned remote-fetch-and-eval dropper.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for vite-pwa-config (npm). Pin to a known-safe version or switch to an alternative.