Vulnerability
Malicious code in vite-plugin-logo (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b) On require, index.js walks up to 5 parent directories searching for `public/assets/logo.png`, scans the file bytes for the marker `__VITE_ASSET_CACHE_v1__`, base64-decodes the bytes that follow the marker, and executes them via `new Function('require', code)(require)` — passing the real `require` so the decoded payload has full Node capabilities (filesystem, network, child_process). The entire loader is wrapped in `try {... } catch (e) {}` to silently swallow errors, and uses single-letter identifiers and a marker name that masquerades as a Vite-internal cache to disguise intent. This is a steganographic loader: any project that installs and imports this plugin will execute whatever code is embedded in a PNG bearing the magic marker, giving an attacker (the package author, or anyone who can ship such a PNG into a consumer's `public/assets/` tree) a generic remote-code-execution primitive at build/import time. The package name follows the `vite-plugin-*` convention but is published under the generic placeholder author `Vite Community` with no repository or homepage, consistent with namespace abuse against the Vite plugin ecosystem.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence