VDB
EN

MAL-2026-10526

Malicious code in @vite-pro/vite-ui (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9aaf307faea8efb93af6f3c8ee4811304a7d9afa25f1c9525aed108efea439e7) Package `@vite-pro/vite-ui` impersonates the official `vite` package: `package.json` declares author `Evan You`, points `repository` at `github.com/vitejs/vite`, sets `homepage` to `vitejs.dev`, ships the upstream Vite README, and exposes a `bin` named `vite`. Appended to the end of `bin/vite.js`, after the legitimate CLI bootstrap and a large block of trailing whitespace, is an obfuscated IIFE that constructs a string table via a seeded Fisher-Yates shuffle (seed 4606094) to hide endpoints, method names, and constants. The loader then fetches a remote payload over HTTP, XOR-decrypts it with an embedded key, and `eval`s the result. It subsequently fetches a second payload and passes it to `child_process.spawn` with `detached:true`, `stdio:'ignore'`, and `windowsHide:true`, establishing a hidden, long-running process independent of the parent `vite` invocation. The loader runs every time a developer executes `vite`, `npx vite`, or `npm run dev|build`, giving the attacker arbitrary code execution and a persistent background process on the developer machine on each CLI use. The obfuscation technique (seeded string-array shuffle + XOR + eval + detached spawn) matches reported blockchain-C2 loader families.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @vite-pro/vite-ui

No fixed version published yet for @vite-pro/vite-ui (npm). Pin to a known-safe version or switch to an alternative.

참고