VDB
EN

MAL-2026-10470

Malicious code in @uw010010/vite-tree (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (280687ad50e03b43bf7f26df6afb1a8fb794eb486c126b2368f37c6b76625318) The package @uw010010/vite-tree impersonates the upstream vite package: its package.json verbatim copies vite's author ('Evan You'), description ('Native-ESM powered web dev build tool'), bin name 'vite', repository (git+https://github.com/vitejs/vite.git), and homepage (https://vitejs.dev), and ships vite's README. Appended to bin/vite.js, after ~5KB of whitespace padding, is an obfuscated trailer that builds a shuffled string-array dispatcher (via Fisher-Yates permutation with String.fromCharCode(127) sentinel substitution) to reconstitute method/property names such as 'http(s)', 'get', 'POST', 'request', 'child_process', 'spawn', 'JSON.parse', 'JSON.stringify', and '2.0'. At runtime the trailer issues an HTTP GET and a JSON-RPC 2.0 POST (id:1) to an attacker-controlled endpoint, XOR-decodes the response with a key derived from the response, and then both eval()s the decoded string and invokes child_process.spawn with detached:true, windowsHide:true, stdio:'ignore' to run the same decoded payload as a detached background process. The bin executes on every invocation of `vite` / `npx vite` from this package, so any developer who installs the typosquat and runs the bin gets arbitrary attacker code executed on their machine plus a hidden detached child for persistence.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @uw010010/vite-tree

No fixed version published yet for @uw010010/vite-tree (npm). Pin to a known-safe version or switch to an alternative.

참고