Which versions of vite-common-utils are malicious?

The following npm versions of vite-common-utils are flagged malicious: 1.0.3, 1.0.4, 1.0.5. Treat any of these as compromised.

How do I remediate vite-common-utils if I installed it?

Remove vite-common-utils from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is vite-common-utils part of a known attack campaign?

Yes — vite-common-utils is associated with the IN-MAL-2026-006958, IN-MAL-2026-006956, IN-MAL-2026-006957 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect vite-common-utils in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking vite-common-utils and packages like it before any post-install script runs.

Malicious package

vite-common-utilsnpm

Malicious code in vite-common-utils (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6088

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall vite-common-utils

What this malware does

The package presents itself as a Vite utility library but its only export, loadFilbetScriptSilently, creates a <script> element whose src is hardcoded to https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js and appends it to document.documentElement, causing the consuming application to fetch and execute whatever JavaScript that URL currently serves. The URL is unpinned (mutable @main branch), is hosted under a personal GitHub user account unrelated to the package publisher, and has no integrity/SRI check. The shipped dist/index.js is the only file in the package and is heavily mangled with obfuscator.io (string-array decoder, hex identifiers, rotation loop), and package.json's devDependencies include gulp-javascript-obfuscator — confirming the obfuscation is intentional and hides the injector. The export name suffixed 'Silently', the cover-story package name, the obfuscation, and the off-publisher mutable code source jointly indicate a remote-code-execution dropper aimed at the downstream web application's origin and its users.

Malicious versions

3 flagged

1.0.31.0.41.0.5

Indicators of compromise (SHA-256)

1cee011bd6bf55f3c74e2e42c15a9df8f1f7974308da228087ba019c3e5cd831

b1d3397d754ffeb3726496769b2f159ce8596b2233b5875afa8f7fbca29ed0fd

c989aa0727b9dd8a6ee9cc42b851dcea293df2ea4129284d43b4476461d91bcb

Frequently asked questions

No. vite-common-utils on npm has been identified as a malicious package (versions 1.0.3, 1.0.4, 1.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006958IN-MAL-2026-006956IN-MAL-2026-006957

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection