MAL-2026-5713
Vulnerability from ossf_malicious_packages
Published
2026-06-12 19:43
Modified
2026-06-23 16:56
Summary
Malicious code in vite-plugin-compress-js (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2)
On module load, this Vite plugin performs an HTTP GET to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable paste host) and passes the response's data field to new Function.constructor("require",...), then invokes the resulting function with require — granting the remote payload full Node.js capabilities (fs, child_process, network) inside the consumer's Vite build process. dist/index.mjs (lines ~124-128) calls the fetch+eval directly via initPlugin(); dist/index.cjs (lines ~130-141) wraps the same payload in if (isMainThread) { new Worker(__filename) } else { initPlugin() }, spawning a worker that re-loads the module with isMainThread=false and executes the network-fetched code in the worker thread to obscure the behavior from naive inspection. The package name and metadata (author 'Vben', debug name 'vite-plugin-compression', plugin name 'vite:compression') clone the well-known vite-plugin-compress / vite-plugin-compression packages, and an otherwise-unused request dependency exists solely to perform the C2 fetch. Any developer or build system that imports this package executes whatever JavaScript the operator currently has hosted at the jsonkeeper paste.
CWE
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"domains": [
"34.2.16.104.in-addr.arpa"
],
"evidence_files": [
{
"path": "dist/index.cjs",
"sha256": "bcb795c215752fbbccd30173477e4c129a7b925ca400762f8ecd7aec5e6ddbe7",
"tlsh": "52f135292af671314163b8ec9f9f801a7226da87301cfd847accd7842f5a525d2e77d8"
},
{
"path": "package.json",
"sha256": "3e78c7242a29bb4fb94832d8c129b63b5ebb1c3b0709ef016663bbfce2320624",
"tlsh": "86214d34c4b84d6309c968e59c7d4297a232594b8994fd0873db116c0f8d69f11ff6ee"
}
],
"package_integrity": [
{
"filename": "vite-plugin-compress-js-0.5.5.tgz",
"hashes": {
"sha1": "a6af48bf91130395b75cdc6877e625d1cf8cb44e",
"sha512_sri": "sha512-ebOkG71QUuCTMujg21yQCtTDTYptybCRJ52F7ZZA+h5z2uTk4cSCHM0CoJgtNIVDPsoTY5Zmka5bkxquEwFhIQ=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "vite-plugin-compress-js"
},
"versions": [
"0.5.5",
"0.5.6",
"0.5.7"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-006216",
"import_time": "2026-06-12T20:49:36.485443084Z",
"modified_time": "2026-06-12T19:43:47Z",
"sha256": "ba5cca8be2f19842c304f355a2219256b3af26e9df385ec314ea6899621110aa",
"source": "amazon-inspector",
"versions": [
"0.5.5"
]
},
{
"id": "IN-MAL-2026-006217",
"import_time": "2026-06-12T20:49:36.58515349Z",
"modified_time": "2026-06-12T19:43:48Z",
"sha256": "e3b05da4b2b34b75fb23780b1b8deeeb320c6b3983fbd53c70dc430b1c2e401b",
"source": "amazon-inspector",
"versions": [
"0.5.5"
]
},
{
"id": "IN-MAL-2026-007256",
"import_time": "2026-06-23T16:54:12.109841367Z",
"modified_time": "2026-06-23T15:58:44Z",
"sha256": "27be652b7788f48b10d05076a6abf2abd97da8878378034f6c24377fe6522010",
"source": "amazon-inspector",
"versions": [
"0.5.6"
]
},
{
"id": "IN-MAL-2026-007257",
"import_time": "2026-06-23T16:54:12.165796378Z",
"modified_time": "2026-06-23T15:58:47Z",
"sha256": "7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2",
"source": "amazon-inspector",
"versions": [
"0.5.7"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2)\nOn module load, this Vite plugin performs an HTTP GET to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable paste host) and passes the response\u0027s `data` field to `new Function.constructor(\"require\",...)`, then invokes the resulting function with `require` \u2014 granting the remote payload full Node.js capabilities (fs, child_process, network) inside the consumer\u0027s Vite build process. dist/index.mjs (lines ~124-128) calls the fetch+eval directly via initPlugin(); dist/index.cjs (lines ~130-141) wraps the same payload in `if (isMainThread) { new Worker(__filename) } else { initPlugin() }`, spawning a worker that re-loads the module with isMainThread=false and executes the network-fetched code in the worker thread to obscure the behavior from naive inspection. The package name and metadata (author \u0027Vben\u0027, debug name \u0027vite-plugin-compression\u0027, plugin name \u0027vite:compression\u0027) clone the well-known vite-plugin-compress / vite-plugin-compression packages, and an otherwise-unused `request` dependency exists solely to perform the C2 fetch. Any developer or build system that imports this package executes whatever JavaScript the operator currently has hosted at the jsonkeeper paste.\n",
"id": "MAL-2026-5713",
"modified": "2026-06-23T16:56:10Z",
"published": "2026-06-12T19:43:47Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-compress-js/v/0.5.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-compress-js/v/0.5.6"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-compress-js/v/0.5.7"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in vite-plugin-compress-js (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…