Which versions of vite-plugin-logo are malicious?

The following npm versions of vite-plugin-logo are flagged malicious: 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1. Treat any of these as compromised.

How do I remediate vite-plugin-logo if I installed it?

Remove vite-plugin-logo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect vite-plugin-logo in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking vite-plugin-logo and packages like it before any post-install script runs.

Malicious package

vite-plugin-logonpm

Malicious code in vite-plugin-logo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5714

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall vite-plugin-logo

What this malware does

On require, index.js walks up to 5 parent directories searching for public/assets/logo.png, scans the file bytes for the marker __VITE_ASSET_CACHE_v1__, base64-decodes the bytes that follow the marker, and executes them via new Function('require', code)(require) — passing the real require so the decoded payload has full Node capabilities (filesystem, network, child_process). The entire loader is wrapped in try {... } catch (e) {} to silently swallow errors, and uses single-letter identifiers and a marker name that masquerades as a Vite-internal cache to disguise intent. This is a steganographic loader: any project that installs and imports this plugin will execute whatever code is embedded in a PNG bearing the magic marker, giving an attacker (the package author, or anyone who can ship such a PNG into a consumer's public/assets/ tree) a generic remote-code-execution primitive at build/import time. The package name follows the vite-plugin-* convention but is published under the generic placeholder author Vite Community with no repository or homepage, consistent with namespace abuse against the Vite plugin ecosystem.

Malicious versions

9 flagged

1.0.31.0.41.0.51.0.61.0.71.0.81.0.91.1.01.1.1

Indicators of compromise (SHA-256)

07a57a447a70e5e76ff5ea362aae40eeae0cbd34da16fd86a9833c0e456a2d1b

2bb9108941f02b676dbf72ca860d93bd0da0dbbd471552887f700105a8ba1df2

30ee8ea99de7572626712510a6410e5009ef2fa163957f93075351f08b69e55a

5f008b3f10b66f771a48f943f1345c17fbe06fad1e4706ce5861f48a744551ce

647a15809f31f151ab733bd0c8a443b7c11d77a962fe0b76d88aad0c2d45a0da

9a9879defd3dbcb42d07be3623d1e2e761ae3a4c4d7a5e9834004fb4ca2871a8

b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b

ce01f469513e1fedb07417682dfc23546a19bc8a68a49e28d4be7bfa13cb2458

1a386867300096464073c028fc255497e9a8b759bd4bd50664d55cbb739ef2ba

Frequently asked questions

No. vite-plugin-logo on npm has been identified as a malicious package (versions 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, and 1 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006223IN-MAL-2026-006222IN-MAL-2026-006224IN-MAL-2026-006219IN-MAL-2026-006227IN-MAL-2026-006220IN-MAL-2026-006221IN-MAL-2026-006226IN-MAL-2026-006225

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection