MAL-2026-10574
Malicious code in vite-plugin-config-paths (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (96c7307466b955fa9b453e949ec2fda3153e5c444b906eed5e3bc88d190a33a7) Package name impersonates the widely-used vite-plugin-tsconfig-paths (the package.json homepage points to the legitimate plugin's README), and the README markets the same API. The CJS entry (index.js) contains top-level code that is absent from the ESM entry (index.mjs): `const { getFunc } = require("url-func-registry"); const jsonInst = getFunc("JsonS"); const json_provider = jsonInst();`. On `require()` of this package (the resolution path Node uses for CommonJS consumers), a function looked up by string name from a transitive `url-func-registry` dependency is invoked at load time. This registry-lookup indirection hides the executed code behind a named-function table populated by a separate package, so the actual behavior can be altered by changing that transitive without republishing this one. The ESM build performs no such call, indicating the CJS output was modified after normal build. The combination of name impersonation of a popular target plus divergent, indirection-based load-time execution not part of the advertised tsconfig-path resolution logic is the shape of a typosquat dropper.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for vite-plugin-config-paths (npm). Pin to a known-safe version or switch to an alternative.