VDB
KO

MAL-2026-10528

Malicious code in @vitets/vite-ts (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8fe093d0d0fa83ab20aa57e9d9c8500e03a25ead578ff351fdc3609118cf5ecf) Package is published as `@vitets/vite-ts` and copies the legitimate Vite project's author (`Evan You`), README, homepage (`vitejs.dev`), and repository (`github.com/vitejs/vite`) to impersonate the real `vite` / `@vitejs/*` packages, and declares a `bin` entry named `vite` so consumers who install it and run the `vite` CLI execute the package's `bin/vite.js`. After ~5KB of whitespace padding, `bin/vite.js` contains an obfuscated payload that uses a custom string-scramble routine to hide identifiers (`require`, `child_process`, `spawn`, `eval`, hostnames, HTTP/JSON-RPC method names) as numeric indices into a reconstructed string table, defeating static IOC scanning. The decoded routine performs an HTTPS GET and a JSON-RPC POST to remote hosts, XORs the response with a key fetched from a second endpoint, runs `eval(r)` on the result, and additionally `child_process.spawn`s a detached background process to execute it (with `detached:true`, `windowsHide:true`). This gives the publisher arbitrary code execution on the developer's machine every time the `vite` CLI is invoked, with no integrity check on the fetched code. The package's `dist/` bundle also contains base64+Buffer decode primitives consistent with additional obfuscated payload handling.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @vitets/vite-ts

No fixed version published yet for @vitets/vite-ts (npm). Pin to a known-safe version or switch to an alternative.

References