Vulnerability
Malicious code in vite-config-optimizer (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f) package.json declares a postinstall hook `node -e "require('./loader.js')"` that auto-executes on every `npm install`. loader.js spawns a detached child Node process running a dropper that hex-decodes a hidden URL (`https://jsonkeeper.com/b/L435A`, an anonymous, mutable JSON paste host), HTTPS-GETs the response body, writes it to a temp file under `/tmp/wpc-*/cfg-*.js`, and `require()`s it — running arbitrary attacker-controlled JavaScript inside the installer's Node process with the installer's privileges. The remote endpoint is concealed as a hex literal decoded with `Buffer.from(..., 'hex').toString()` to evade plain-text URL scanners, and the dropper is detached and unref'd to hide its activity. The package's advertised identity is also a cover story: the name and description claim it is a Vite configuration plugin, but the declared repository points at `webpack-tools/webpack-cache-plugin`, the main module exports a `WebpackCachePlugin` class, and the only install-time behavior is the dropper. Anyone running `npm install vite-config-optimizer` (directly or transitively) executes whatever bytes the paste host serves at request time.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence