MAL-2026-7021
Malicious code in @vite-js/ui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (914257e4d1eecae3fc48e98c8a2a406ed8021ed159c4a43a96c57453d0a1f320) Package @vite-js/ui@7.15.16 impersonates the legitimate `vite` package: it copies the author name, homepage (vitejs.dev), README, and exposes a `bin` named `vite`, but publishes under an unrelated scope. Its `bin/vite.js` contains the legitimate Vite launcher followed by an appended obfuscated IIFE that uses a seeded permutation cipher and placeholder-swap encoding to reconstruct the Function constructor name and a decoded payload string, then invokes `Function(...)` with the decoded body — an eval-equivalent RCE primitive that fires whenever a developer runs the `vite` CLI provided by this package. The obfuscation shape (custom character-shuffle descrambler, hex/comma-obfuscated string tables) is combined with runtime dependencies uncharacteristic of a build tool (`@solana/web3.js`, `axios`, `socket.io-client`, `form-data`), consistent with the wallet-stealer / exfiltration family seen in prior npm typosquat incidents. Running `npx vite` or the installed `vite` bin from this package executes attacker-controlled code on the developer's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @vite-js/ui (npm). Pin to a known-safe version or switch to an alternative.