MAL-2026-5714
Vulnerability from ossf_malicious_packages
Published
2026-06-12 19:52
Modified
2026-06-12 20:51
Summary
Malicious code in vite-plugin-logo (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b)
On require, index.js walks up to 5 parent directories searching for public/assets/logo.png, scans the file bytes for the marker __VITE_ASSET_CACHE_v1__, base64-decodes the bytes that follow the marker, and executes them via new Function('require', code)(require) — passing the real require so the decoded payload has full Node capabilities (filesystem, network, child_process). The entire loader is wrapped in try {... } catch (e) {} to silently swallow errors, and uses single-letter identifiers and a marker name that masquerades as a Vite-internal cache to disguise intent. This is a steganographic loader: any project that installs and imports this plugin will execute whatever code is embedded in a PNG bearing the magic marker, giving an attacker (the package author, or anyone who can ship such a PNG into a consumer's public/assets/ tree) a generic remote-code-execution primitive at build/import time. The package name follows the vite-plugin-* convention but is published under the generic placeholder author Vite Community with no repository or homepage, consistent with namespace abuse against the Vite plugin ecosystem.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "index.js",
"sha256": "edc472b4b158f862f66b3ed30a7d49d31a6258033847aabb8cd48acda8fdc065",
"tlsh": "de113a9856a921045433b3b2db17850af6bff16372149198bf6c92d96fb290043b7eec"
}
],
"package_integrity": [
{
"filename": "vite-plugin-logo-1.1.0.tgz",
"hashes": {
"sha1": "c26f4c2ce49d8c3af75ef5ac8e4e4a7a1c560c45",
"sha512_sri": "sha512-Oa057LWZ9hiJyAG+wGCGWvFcLTCqUbBPYnhtCKO7+bNSepuht0QY5FlwcPsS5jXQX3dY9gTVBCeS7jDrRjshTA=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "vite-plugin-logo"
},
"versions": [
"1.1.0",
"1.0.5",
"1.1.1",
"1.0.3",
"1.0.6",
"1.0.4",
"1.0.7",
"1.0.9",
"1.0.8"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-006223",
"import_time": "2026-06-12T20:49:37.21859497Z",
"modified_time": "2026-06-12T19:52:26Z",
"sha256": "07a57a447a70e5e76ff5ea362aae40eeae0cbd34da16fd86a9833c0e456a2d1b",
"source": "amazon-inspector",
"versions": [
"1.1.0"
]
},
{
"id": "IN-MAL-2026-006222",
"import_time": "2026-06-12T20:49:37.12586059Z",
"modified_time": "2026-06-12T19:52:25Z",
"sha256": "2bb9108941f02b676dbf72ca860d93bd0da0dbbd471552887f700105a8ba1df2",
"source": "amazon-inspector",
"versions": [
"1.0.5"
]
},
{
"id": "IN-MAL-2026-006224",
"import_time": "2026-06-12T20:49:37.324692641Z",
"modified_time": "2026-06-12T19:52:27Z",
"sha256": "30ee8ea99de7572626712510a6410e5009ef2fa163957f93075351f08b69e55a",
"source": "amazon-inspector",
"versions": [
"1.1.1"
]
},
{
"id": "IN-MAL-2026-006219",
"import_time": "2026-06-12T20:49:36.767037361Z",
"modified_time": "2026-06-12T19:52:23Z",
"sha256": "5f008b3f10b66f771a48f943f1345c17fbe06fad1e4706ce5861f48a744551ce",
"source": "amazon-inspector",
"versions": [
"1.0.3"
]
},
{
"id": "IN-MAL-2026-006227",
"import_time": "2026-06-12T20:49:37.693632822Z",
"modified_time": "2026-06-12T19:52:30Z",
"sha256": "647a15809f31f151ab733bd0c8a443b7c11d77a962fe0b76d88aad0c2d45a0da",
"source": "amazon-inspector",
"versions": [
"1.0.6"
]
},
{
"id": "IN-MAL-2026-006220",
"import_time": "2026-06-12T20:49:36.852347282Z",
"modified_time": "2026-06-12T19:52:24Z",
"sha256": "9a9879defd3dbcb42d07be3623d1e2e761ae3a4c4d7a5e9834004fb4ca2871a8",
"source": "amazon-inspector",
"versions": [
"1.0.4"
]
},
{
"id": "IN-MAL-2026-006221",
"import_time": "2026-06-12T20:49:36.960747112Z",
"modified_time": "2026-06-12T19:52:24Z",
"sha256": "b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b",
"source": "amazon-inspector",
"versions": [
"1.0.7"
]
},
{
"id": "IN-MAL-2026-006226",
"import_time": "2026-06-12T20:49:37.588268293Z",
"modified_time": "2026-06-12T19:52:29Z",
"sha256": "ce01f469513e1fedb07417682dfc23546a19bc8a68a49e28d4be7bfa13cb2458",
"source": "amazon-inspector",
"versions": [
"1.0.9"
]
},
{
"id": "IN-MAL-2026-006225",
"import_time": "2026-06-12T20:49:37.415012945Z",
"modified_time": "2026-06-12T19:52:27Z",
"sha256": "1a386867300096464073c028fc255497e9a8b759bd4bd50664d55cbb739ef2ba",
"source": "amazon-inspector",
"versions": [
"1.0.8"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b)\nOn require, index.js walks up to 5 parent directories searching for `public/assets/logo.png`, scans the file bytes for the marker `__VITE_ASSET_CACHE_v1__`, base64-decodes the bytes that follow the marker, and executes them via `new Function(\u0027require\u0027, code)(require)` \u2014 passing the real `require` so the decoded payload has full Node capabilities (filesystem, network, child_process). The entire loader is wrapped in `try {... } catch (e) {}` to silently swallow errors, and uses single-letter identifiers and a marker name that masquerades as a Vite-internal cache to disguise intent. This is a steganographic loader: any project that installs and imports this plugin will execute whatever code is embedded in a PNG bearing the magic marker, giving an attacker (the package author, or anyone who can ship such a PNG into a consumer\u0027s `public/assets/` tree) a generic remote-code-execution primitive at build/import time. The package name follows the `vite-plugin-*` convention but is published under the generic placeholder author `Vite Community` with no repository or homepage, consistent with namespace abuse against the Vite plugin ecosystem.\n",
"id": "MAL-2026-5714",
"modified": "2026-06-12T20:51:14Z",
"published": "2026-06-12T19:52:23Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.1.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.0.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.1.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.0.3"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.0.6"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.0.4"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.0.7"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.0.9"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/vite-plugin-logo/v/1.0.8"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in vite-plugin-logo (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…