@vite-tab/tabnpm
Malicious code in @vite-tab/tab (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
@vite-tab/tab republishes Vite's codebase under a different name while impersonating the upstream project: package.json declares bin: { vite: 'bin/vite.js' } (hijacking the vite command on $PATH), author: 'Evan You', repository: git+https://github.com/vitejs/vite.git, and homepage: https://vitejs.dev. Appended to bin/vite.js after the legitimate Vite bootstrap is a self-decoding string table (var _$_4445=(function(k,p){...})("...",4606094)) built via a Fisher-Yates-style scramble with \x25/\x23 substitution markers; all sensitive identifiers (https, get, request, JSON.parse, child_process, spawn, eval, host fragments) are referenced as indices into this table to defeat static review. At runtime the decoded routines perform an HTTPS GET followed by a JSON-RPC POST ({jsonrpc, method, params, id:1}) to a dynamically resolved hostname, base64-decode and XOR-decrypt the response, and pass it to eval(r); a second fetched payload is launched via child_process.spawn(..., {detached:true, windowsHide:true}), with a 30-second throttle. The fetch loop runs every time a developer invokes the hijacked vite command, giving the publisher arbitrary remote code execution on the developer machine with persistence via detached child processes. The remote-hostname JSON-RPC lookup makes the C2 endpoint resistant to static domain blocking.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Backdoor / remote accessFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @vite-tab/tab (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @vite-tab/tab across your stack and pipelines.
If you installed it — respond
@vite-tab/tab establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If @vite-tab/tab was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @vite-tab/tab before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks @vite-tab/tab-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.