Vulnerability
Malicious code in vite-plugin-compress-js (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ba5cca8be2f19842c304f355a2219256b3af26e9df385ec314ea6899621110aa) On module load, the package's initPlugin() function performs an HTTP GET to https://www.jsonkeeper.com/b/OTOAQ (an anonymous public JSON-paste host) and passes the response body's `.data` field to `new Function.constructor('require',...)(require)`, executing attacker-controlled JavaScript with full Node `require` access on the developer/build machine. The ESM entry invokes initPlugin() at top level; the CJS entry spawns a worker_threads Worker on __filename so the same fetch-and-exec runs in the worker. Evidence is in dist/index.cjs lines 148-156. The package name `vite-plugin-compress-js` mimics the legitimate `vite-plugin-compress` / `vite-plugin-compression` packages and copies their description (`Use gzip or brotli to compress resources.`) and surface API (gzip/brotli on closeBundle) as cover for the dropper. Runtime dependencies (`express`, `request`, `sqlite3`) are inconsistent with a compression plugin; `request` is the transport used by the dropper. Any project that adds this plugin to its Vite config triggers remote code execution at build time.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence