Supply-chain threat intelligence
Risk score
92
Indexed incident for @vite-js/ui (npm).
Package @vite-js/ui impersonates the official vite package: package.json declares author 'Evan You', homepage 'https://vitejs.dev', ships an unmodified Vite README and a near-verbatim Vite dist/ tree, and exposes bin.vite pointing at bin/vite.js — so any developer who installs this and runs the documented vite command executes this package's CLI. Appended to the legitimate Vite bin code in bin/vite.js is a heavily obfuscated IIFE that reconstructs strings from a packed blob via a custom shuffler (keyed by 4606094, with %/#1/#0 substitutions) to hide the identifiers http, child_process, JSON, eval, and spawn. At runtime it issues a JSON-RPC HTTP fetch, XOR-decodes the response using a key derived from a remote field, passes the decoded buffer to eval(r), and then calls child_process.spawn with {detached:true, stdio:..., windowsHide:true} on a second fetched-and-decoded payload — a hidden, detached process that outlives the CLI invocation and provides a persistent execution channel. A short time-gate throttles re-trigger. Legitimate Vite has no such bootstrap; the custom string-array obfuscator covers only the network/eval/spawn surface, which is the canonical dropper-plus-backdoor shape.
Affected versions
Indicators
Timeline