vite-config-field@1.1.0 impersonates the legitimate vite-plugin-pwa package (README copies its banner/badges, funding field points at antfu's GitHub Sponsors, and the package re-exports VitePWA alongside the attacker-introduced configFields helper). The ESM entry dist/index.js exposes a configFields(userOpt) function which, when called from a Vite config (as the README instructs), detached-spawns node dist/client/dev/reactopt.js with stdio ignored and unref'd to hide the child from the developer. dist/client/dev/reactopt.js (lines 21-23) fetches https://www.jsonkeeper.com/b/DDC6J with header x-secret-key: _, reads the response's data.Cookie field, and executes it via new Function.constructor('require', params); handler(require) — granting the attacker arbitrary Node code execution with require injected, on any developer or build machine that imports the package and invokes configFields(). The CJS entry dist/index.cjs intentionally omits this payload, so reviewers inspecting main see clean code while modern ESM toolchains that resolve via module/import get the dropper. The fetched payload host (jsonkeeper.com) is a mutable public paste-bin-like service, so the executed code can change at any time.