VDB
KO

MAL-2026-10092

Malicious code in vite-pwa-config (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0) Package `vite-pwa-config` impersonates the popular `vite-plugin-pwa` (antfu) — the README instructs users to import `configJson` from `vite-plugin-pwa`, and package metadata reuses that project's funding link, badges, and banner. When the exported `configJson`/`configField` is invoked from a project's `vite.config`, `dist/index.cjs`/`index.mjs` spawns a detached `node` child (`stdio:"ignore"`, `child.unref()`) running the bundled `dist/client/dev/viteopt.js`. That helper fetches a JavaScript string from `https://www.jsonkeeper.com/b/FNOBS` via axios and passes it to `new Function('require', s)(require)`, giving the anonymous remote endpoint arbitrary code execution in the developer's build environment with full `require` access. The remote URL is disguised behind a local `process = { env: { DEV_API_URL:..., DEV_SECREDT:..., DEV_PREFIX:... } }` shadow object to make the fetch look like ordinary env-driven configuration. Detached/silenced child spawning plus the cover-story env shim are deliberate evasion of casual review, and jsonkeeper.com is a mutable, anonymous paste host — today's content can be swapped for any payload at any time. This is a typosquat lure carrying an unpinned remote-fetch-and-eval dropper.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vite-pwa-config

No fixed version published yet for vite-pwa-config (npm). Pin to a known-safe version or switch to an alternative.

References