Supply-chain threat intelligence
Risk score
92
Indexed incident for @vite-pro/vite-ui (npm).
Package @vite-pro/vite-ui impersonates the official vite package: package.json declares author Evan You, points repository at github.com/vitejs/vite, sets homepage to vitejs.dev, ships the upstream Vite README, and exposes a bin named vite. Appended to the end of bin/vite.js, after the legitimate CLI bootstrap and a large block of trailing whitespace, is an obfuscated IIFE that constructs a string table via a seeded Fisher-Yates shuffle (seed 4606094) to hide endpoints, method names, and constants. The loader then fetches a remote payload over HTTP, XOR-decrypts it with an embedded key, and evals the result. It subsequently fetches a second payload and passes it to child_process.spawn with detached:true, stdio:'ignore', and windowsHide:true, establishing a hidden, long-running process independent of the parent vite invocation. The loader runs every time a developer executes vite, npx vite, or npm run dev|build, giving the attacker arbitrary code execution and a persistent background process on the developer machine on each CLI use. The obfuscation technique (seeded string-array shuffle + XOR + eval + detached spawn) matches reported blockchain-C2 loader families.
Affected versions
Indicators
Timeline