Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

@vite-tab/tabnpm

Malicious code in @vite-tab/tab (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6988
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall @vite-tab/tab

What this malware does

@vite-tab/tab republishes Vite's codebase under a different name while impersonating the upstream project: package.json declares bin: { vite: 'bin/vite.js' } (hijacking the vite command on $PATH), author: 'Evan You', repository: git+https://github.com/vitejs/vite.git, and homepage: https://vitejs.dev. Appended to bin/vite.js after the legitimate Vite bootstrap is a self-decoding string table (var _$_4445=(function(k,p){...})("...",4606094)) built via a Fisher-Yates-style scramble with \x25/\x23 substitution markers; all sensitive identifiers (https, get, request, JSON.parse, child_process, spawn, eval, host fragments) are referenced as indices into this table to defeat static review. At runtime the decoded routines perform an HTTPS GET followed by a JSON-RPC POST ({jsonrpc, method, params, id:1}) to a dynamically resolved hostname, base64-decode and XOR-decrypt the response, and pass it to eval(r); a second fetched payload is launched via child_process.spawn(..., {detached:true, windowsHide:true}), with a 30-second throttle. The fetch loop runs every time a developer invokes the hijacked vite command, giving the publisher arbitrary remote code execution on the developer machine with persistence via detached child processes. The remote-hostname JSON-RPC lookup makes the C2 endpoint resistant to static domain blocking.

Malicious versions

2 flagged
3.15.105.7.0

Indicators of compromise (SHA-256)

62a19bf35a2cc4cea4177b45cf5e3abec489a0e87b1f3a294611d4c9d4bf76aa
95af865d1cf7d45f2b4c2a73eebcfcd1a1a6aba9a36f33bf8256ef4d7235903c

Detection & response playbook

Backdoor / remote access
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @vite-tab/tab (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @vite-tab/tab across your stack and pipelines.

  2. If you installed it — respond

    @vite-tab/tab establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

  3. Did it already run?

    If @vite-tab/tab was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks @vite-tab/tab before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @vite-tab/tab on npm has been identified as a malicious package (versions 3.15.10, 5.7.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-008163IN-MAL-2026-008164

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks @vite-tab/tab-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.