Malicious code in vite-plugin-logo (npm)

__

Source: amazon-inspector (b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b)

On require, index.js walks up to 5 parent directories searching for public/assets/logo.png, scans the file bytes for the marker __VITE_ASSET_CACHE_v1__, base64-decodes the bytes that follow the marker, and executes them via new Function('require', code)(require) — passing the real require so the decoded payload has full Node capabilities (filesystem, network, child_process). The entire loader is wrapped in try {... } catch (e) {} to silently swallow errors, and uses single-letter identifiers and a marker name that masquerades as a Vite-internal cache to disguise intent. This is a steganographic loader: any project that installs and imports this plugin will execute whatever code is embedded in a PNG bearing the magic marker, giving an attacker (the package author, or anyone who can ship such a PNG into a consumer's public/assets/ tree) a generic remote-code-execution primitive at build/import time. The package name follows the vite-plugin-* convention but is published under the generic placeholder author Vite Community with no repository or homepage, consistent with namespace abuse against the Vite plugin ecosystem.