Supply-chain threat intelligence

Incident detail

criticalnpm·obfuscation·osv

Malicious code in @vite-pro/vite-ui (npm)

@vite-pro/vite-ui

Risk score

92

AI summary

Indexed incident for @vite-pro/vite-ui (npm).

Description

Package @vite-pro/vite-ui impersonates the official vite package: package.json declares author Evan You, points repository at github.com/vitejs/vite, sets homepage to vitejs.dev, ships the upstream Vite README, and exposes a bin named vite. Appended to the end of bin/vite.js, after the legitimate CLI bootstrap and a large block of trailing whitespace, is an obfuscated IIFE that constructs a string table via a seeded Fisher-Yates shuffle (seed 4606094) to hide endpoints, method names, and constants. The loader then fetches a remote payload over HTTP, XOR-decrypts it with an embedded key, and evals the result. It subsequently fetches a second payload and passes it to child_process.spawn with detached:true, stdio:'ignore', and windowsHide:true, establishing a hidden, long-running process independent of the parent vite invocation. The loader runs every time a developer executes vite, npx vite, or npm run dev|build, giving the attacker arbitrary code execution and a persistent background process on the developer machine on each CLI use. The obfuscation technique (seeded string-array shuffle + XOR + eval + detached spawn) matches reported blockchain-C2 loader families.

Technical details

Affected versions

=2.5.10

Indicators

  • affected version=2.5.1075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents