Which versions of vite-plugin-compress-js are malicious?

The following npm versions of vite-plugin-compress-js are flagged malicious: 0.5.5. Treat any of these as compromised.

How do I remediate vite-plugin-compress-js if I installed it?

Remove vite-plugin-compress-js from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is vite-plugin-compress-js part of a known attack campaign?

Yes — vite-plugin-compress-js is associated with the IN-MAL-2026-006216, IN-MAL-2026-006217 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect vite-plugin-compress-js in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking vite-plugin-compress-js and packages like it before any post-install script runs.

Malicious package

vite-plugin-compress-jsnpm

Malicious code in vite-plugin-compress-js (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5713

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall vite-plugin-compress-js

What this malware does

On module load, the package's initPlugin() function performs an HTTP GET to https://www.jsonkeeper.com/b/OTOAQ (an anonymous public JSON-paste host) and passes the response body's .data field to new Function.constructor('require',...)(require), executing attacker-controlled JavaScript with full Node require access on the developer/build machine. The ESM entry invokes initPlugin() at top level; the CJS entry spawns a worker_threads Worker on __filename so the same fetch-and-exec runs in the worker. Evidence is in dist/index.cjs lines 148-156. The package name vite-plugin-compress-js mimics the legitimate vite-plugin-compress / vite-plugin-compression packages and copies their description (Use gzip or brotli to compress resources.) and surface API (gzip/brotli on closeBundle) as cover for the dropper. Runtime dependencies (express, request, sqlite3) are inconsistent with a compression plugin; request is the transport used by the dropper. Any project that adds this plugin to its Vite config triggers remote code execution at build time.

Malicious versions

1 flagged

0.5.5

Indicators of compromise (SHA-256)

ba5cca8be2f19842c304f355a2219256b3af26e9df385ec314ea6899621110aa

e3b05da4b2b34b75fb23780b1b8deeeb320c6b3983fbd53c70dc430b1c2e401b

Frequently asked questions

No. vite-plugin-compress-js on npm has been identified as a malicious package (version 0.5.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006216IN-MAL-2026-006217

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection