Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

Malicious code in vite-plugin-logo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b On require, index.js walks up to 5 parent directories searching for public/assets/logo.png, scans the file bytes for the marker VITEASSETCACHEv1,...

MAL-2026-5714 Malicious code in vite-plugin-logo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b On require, index.js walks up to 5 parent directories searching for public/assets/logo.png, scans the file bytes for the marker VITEASSETCACHEv1,...

Malicious code in vite-plugin-compress-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2 On module load, this Vite plugin performs an HTTP GET to https://www.jsonkeeper.com/b/XVHGD an anonymous, mutable paste host and passes the response'...

MAL-2026-5713 Malicious code in vite-plugin-compress-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f7b2710441863a429a2a1833e06f54e9afc23c87d1b40d7ee09e1995c6a65c2 On module load, this Vite plugin performs an HTTP GET to https://www.jsonkeeper.com/b/XVHGD an anonymous, mutable paste host and passes the response'...

MAL-2026-5708 Malicious code in vite-svgr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5 Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths package.json description: 'Load no...

Malicious code in vite-plugin-env-compat-plus (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2512f14cad895787ebcbbf00d51ef388752104f69dcba83360b9ce44a04467f2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview vite-plugin-env-compat-plus is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview vite-plugin-env-compat-1.5 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

MAL-2026-4333 Malicious code in vite-plugin-env-compat-1.5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0597776b3155fb9a02f2a9e559b28d2e07543aaf5fad3e2e26c594876e77fce7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in vite-plugin-env-compat-1.5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0597776b3155fb9a02f2a9e559b28d2e07543aaf5fad3e2e26c594876e77fce7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in vite-plugin-css-blend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a47fa75fbd028d1aca89ca790036f760c76d8e486175505ef4a8f59f33e7c76 The package is published as a Vite CSS plugin but exposes no Vite plugin API. Its documented applyGlobalStylespalette, accents export, when called on...

MAL-2026-4706 Malicious code in vite-plugin-css-blend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a47fa75fbd028d1aca89ca790036f760c76d8e486175505ef4a8f59f33e7c76 The package is published as a Vite CSS plugin but exposes no Vite plugin API. Its documented applyGlobalStylespalette, accents export, when called on...

crypto-utils-box (=0.0.6), knk (=0.1.11) +1 more potentially affected by unknown CVE via xmorse (=1.0.0)

xmorse NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on xmorse and may be impacted: - crypto-utils-box =0.0.6 - knk =0.1.11 - vite-plugin-qwer =0.0.5, =0.0.7 Source cves: unknown CVE Source advisory: SNYK:JS-XMORSE-16755071...

crypto-utils-box (=0.0.6), knk (=0.1.11) +1 more potentially affected by unknown CVE via xmorse (=1.0.0)

xmorse NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on xmorse and may be impacted: - crypto-utils-box =0.0.6 - knk =0.1.11 - vite-plugin-qwer =0.0.5, =0.0.7 Source cves: unknown CVE Source advisory: SNYK:JS-XMORSE-16754902...

Malicious code in @tanstack/router-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 59c369975f931e9f8a4ca499e887c2ec41f7d1dbfcdcb83fa9e6ec9717ea4910 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3480 Malicious code in @tanstack/router-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 59c369975f931e9f8a4ca499e887c2ec41f7d1dbfcdcb83fa9e6ec9717ea4910 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@tanstack/react-start (>=1.167.5 <=1.167.6), @tanstack/router-vite-plugin (=1.166.19) +3 more potentially affected by CVE-2026-45321 via @tanstack/router-plugin (=1.167.4)

@tanstack/router-plugin NPM version =1.167.4 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/router-plugin and may be impacted: - @tanstack/react-start =1.167.5, =1.167.5, =1.167.8, =1.167.5, =1.167.6 Source cves: CVE-2026-45321 Source...

MAL-2026-3464 Malicious code in @tanstack/nitro-v2-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f689866f0ed8e6cf47200b7bf613dd377c407e21d5ed6b2a0caf5252e822d8ff Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Allocation of Resources Without Limits or Throttling

Overview @vitejs/plugin-rsc is a React Server Components RSC support for Vite. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via server function endpoints. An attacker can cause out-of-memory exceptions or induce excessive CPU usage by...