On import/require of vite-react-toolkit, src/features/extras/config.js (reached via the package main → createConfig.js → features/plugins.js side-effect import chain) fetches https://www.jsonkeeper.com/b/AAON3 with axios, extracts the response's .config field, and passes it to new Function('require', s)(require) — executing attacker-controlled JavaScript in the installer's Node.js process with full module-loading capability via createRequire(import.meta.url). The fetch retries 5 times and swallows errors silently; console.log is saved and restored around the call to suppress output from the injected code. The dropper URL is hidden behind a fake local process.env object whose keys are named DEV_API_KEY/DEV_SECRET_KEY/DEV_SECRET_VALUE to look like ordinary environment variable reads. The package advertises itself as a Vite configuration helper, which has no need for network I/O at import time. jsonkeeper.com is an anonymous, mutable paste host — the served bytes can change at any time without any change to the package — so the attacker controls what runs in every consumer's dev/build pipeline whenever this module is imported.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.