Supply-chain threat intelligence

Incident detail

criticalnpm·obfuscation·osv

Malicious code in @vite-js/ui (npm)

@vite-js/ui

Risk score

92

AI summary

Indexed incident for @vite-js/ui (npm).

Description

Package @vite-js/ui impersonates the official vite package: package.json declares author 'Evan You', homepage 'https://vitejs.dev', ships an unmodified Vite README and a near-verbatim Vite dist/ tree, and exposes bin.vite pointing at bin/vite.js — so any developer who installs this and runs the documented vite command executes this package's CLI. Appended to the legitimate Vite bin code in bin/vite.js is a heavily obfuscated IIFE that reconstructs strings from a packed blob via a custom shuffler (keyed by 4606094, with %/#1/#0 substitutions) to hide the identifiers http, child_process, JSON, eval, and spawn. At runtime it issues a JSON-RPC HTTP fetch, XOR-decodes the response using a key derived from a remote field, passes the decoded buffer to eval(r), and then calls child_process.spawn with {detached:true, stdio:..., windowsHide:true} on a second fetched-and-decoded payload — a hidden, detached process that outlives the CLI invocation and provides a persistent execution channel. A short time-gate throttles re-trigger. Legitimate Vite has no such bootstrap; the custom string-array obfuscator covers only the network/eval/spawn surface, which is the canonical dropper-plus-backdoor shape.

Technical details

Affected versions

=7.15.16=7.15.10

Indicators

  • affected version=7.15.1675%
  • affected version=7.15.1075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents