MAL-2026-10092: Malicious code in vite-pwa-config (npm)
The npm package vite-pwa-config is a malicious typosquat of the legitimate vite-plugin-pwa package. It tricks users into importing a config object that, when invoked, spawns a detached Node.js child process which silently fetches and executes arbitrary JavaScript code from a mutable remote URL. This remote code execution occurs with full require access in the developer's build environment, enabling arbitrary code execution. The package uses environment variable shims and silent child processes to evade casual detection. Versions 1.1.1 and 1.1.2 of vite-pwa-config are affected.
AI Analysis
Technical Summary
vite-pwa-config impersonates the popular vite-plugin-pwa package by copying its metadata and README instructions. When the exported configJson/configField is used in a project's vite.config, it runs a detached Node.js child process that fetches JavaScript code from https://www.jsonkeeper.com/b/FNOBS and executes it using new Function with require access. The remote URL is hidden behind a local process.env shim to disguise the fetch as normal configuration loading. The use of a detached, silenced child process and a mutable anonymous paste host for the remote code enables arbitrary code execution in the developer's environment and evades casual review. This is a malicious package designed as a remote-fetch-and-eval dropper via typosquatting.
Potential Impact
Users who install and invoke vite-pwa-config versions 1.1.1 or 1.1.2 in their build environment risk arbitrary code execution with full require access. This can lead to compromise of the developer environment, potential theft of credentials or source code, and supply chain contamination. The remote code is fetched from a mutable anonymous paste site, allowing the attacker to change payloads at will. There are no known exploits in the wild yet.
Mitigation Recommendations
No official patch or fix is currently available for vite-pwa-config. Users should immediately stop using this package and remove it from their projects. Verify that the legitimate vite-plugin-pwa package is used instead. Avoid installing packages from untrusted or typosquatted names. Monitor your environment for any suspicious activity related to this package. Patch status is not yet confirmed — check the vendor advisory or trusted sources for updates.
MAL-2026-10092: Malicious code in vite-pwa-config (npm)
Description
The npm package vite-pwa-config is a malicious typosquat of the legitimate vite-plugin-pwa package. It tricks users into importing a config object that, when invoked, spawns a detached Node.js child process which silently fetches and executes arbitrary JavaScript code from a mutable remote URL. This remote code execution occurs with full require access in the developer's build environment, enabling arbitrary code execution. The package uses environment variable shims and silent child processes to evade casual detection. Versions 1.1.1 and 1.1.2 of vite-pwa-config are affected.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
vite-pwa-config impersonates the popular vite-plugin-pwa package by copying its metadata and README instructions. When the exported configJson/configField is used in a project's vite.config, it runs a detached Node.js child process that fetches JavaScript code from https://www.jsonkeeper.com/b/FNOBS and executes it using new Function with require access. The remote URL is hidden behind a local process.env shim to disguise the fetch as normal configuration loading. The use of a detached, silenced child process and a mutable anonymous paste host for the remote code enables arbitrary code execution in the developer's environment and evades casual review. This is a malicious package designed as a remote-fetch-and-eval dropper via typosquatting.
Potential Impact
Users who install and invoke vite-pwa-config versions 1.1.1 or 1.1.2 in their build environment risk arbitrary code execution with full require access. This can lead to compromise of the developer environment, potential theft of credentials or source code, and supply chain contamination. The remote code is fetched from a mutable anonymous paste site, allowing the attacker to change payloads at will. There are no known exploits in the wild yet.
Mitigation Recommendations
No official patch or fix is currently available for vite-pwa-config. Users should immediately stop using this package and remove it from their projects. Verify that the legitimate vite-plugin-pwa package is used instead. Avoid installing packages from untrusted or typosquatted names. Monitor your environment for any suspicious activity related to this package. Patch status is not yet confirmed — check the vendor advisory or trusted sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10092
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba6e68715ace4357fd73
Added to database: 07/10/2026, 09:25:02 UTC
Last enriched: 07/10/2026, 09:52:21 UTC
Last updated: 07/10/2026, 14:40:06 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.