Supply-chain threat intelligence

Incident detail

criticalnpm·maintainer compromise·osv

Malicious code in mdb-vite (npm)

mdb-vite

Risk score

92

AI summary

Indexed incident for mdb-vite (npm).

Description

The package's default export getPlugin performs an HTTPS fetch to https://svganchordev.net/icons/107 with URL components split across protocol, domain, separator, and path variables to disguise the destination, then passes the response's credits field to new Function('require','module',...,data.credits) and invokes it with full Node capabilities (require, module, process, Buffer, global, __dirname=process.cwd()). Any consumer that imports the package and invokes the default export runs attacker-controlled code with the installer's Node privileges — enabling arbitrary payload delivery, credential theft, persistence, or downstream compromise. Additional misdirection: the package name mdb-vite evokes MDBootstrap/Vite tooling, keywords are react, helper, svg, the README titles itself polymarket-clob-api, and package.json describes it as a Polymarket CLOB SDK — none of which match the code, which only fetches and evals remote JavaScript. A bearrtoken: 'logo' header and an unused CDN-provider map (cloudflare/fastly/akamai/cloudfront) are decoys to make the loader appear CDN-related.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=1.5.2>=0

Indicators

  • Advisory IDs
    90%
  • affected version=1.5.275%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents