Which versions of vite-config-optimizer are malicious?

The following npm versions of vite-config-optimizer are flagged malicious: 1.1.4. Treat any of these as compromised.

How do I remediate vite-config-optimizer if I installed it?

Remove vite-config-optimizer from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is vite-config-optimizer part of a known attack campaign?

Yes — vite-config-optimizer is associated with the IN-MAL-2026-006276, IN-MAL-2026-006275 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect vite-config-optimizer in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking vite-config-optimizer and packages like it before any post-install script runs.

Malicious package

vite-config-optimizernpm

Malicious code in vite-config-optimizer (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5727

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall vite-config-optimizer

What this malware does

package.json declares a postinstall hook node -e "require('./loader.js')" that auto-executes on every npm install. loader.js spawns a detached child Node process running a dropper that hex-decodes a hidden URL (https://jsonkeeper.com/b/L435A, an anonymous, mutable JSON paste host), HTTPS-GETs the response body, writes it to a temp file under /tmp/wpc-*/cfg-*.js, and require()s it — running arbitrary attacker-controlled JavaScript inside the installer's Node process with the installer's privileges. The remote endpoint is concealed as a hex literal decoded with Buffer.from(..., 'hex').toString() to evade plain-text URL scanners, and the dropper is detached and unref'd to hide its activity. The package's advertised identity is also a cover story: the name and description claim it is a Vite configuration plugin, but the declared repository points at webpack-tools/webpack-cache-plugin, the main module exports a WebpackCachePlugin class, and the only install-time behavior is the dropper. Anyone running npm install vite-config-optimizer (directly or transitively) executes whatever bytes the paste host serves at request time.

Malicious versions

1 flagged

1.1.4

Indicators of compromise (SHA-256)

d8d7346296470990420a83384ab12bb58bd7cafa17ed5e02fdef81440ab8e4b1

f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f

Frequently asked questions

No. vite-config-optimizer on npm has been identified as a malicious package (version 1.1.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006276IN-MAL-2026-006275

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection