
Research
/Security News
Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.
@sohu-bpd/vite-plugin-cdn-upload
Advanced tools
Upload built assets to a private CDN storage service after the Vite build completes.
closeBundleinclude / exclude rules**/*.html by defaultPUT Object requests with the SCS HMAC-SHA1 flowimport { defineConfig } from "vite";
import { cdnUploadPlugin } from "@sohu-bpd/vite-plugin-cdn-upload";
export default defineConfig({
plugins: [
cdnUploadPlugin({
bucket: "frontend-assets",
prefix: "my-app/2026-03-30",
host: process.env.SCS_HOST,
concurrency: 3,
include: ["assets/**"],
exclude: ["**/*.html"]
})
]
});
bucket: required bucket nameprefix: optional object key prefix; leading and trailing / are removedhost: optional SCS host or origin such as bjcnc.scs.sohucs.com or http://bjcnc.scs.sohucs.comaccessKey: optional access key; falls back to SCS_ACCESS_KEYsecretKey: optional secret key; falls back to SCS_SECRET_KEYinclude: optional glob rule or glob rule list; defaults to ["**/*"]exclude: optional glob rule or glob rule list; defaults to ["**/*.html"]env: optional custom env key mapping for accessKey, secretKey, and hostcomputeMd5: whether to send Content-MD5; defaults to trueconcurrency: optional maximum number of concurrent uploads; defaults to 3The plugin runs only for Vite build mode. After bundling, it scans build.outDir, filters files with include and exclude, and uploads matching files to:
<prefix>/<relative-output-path>
The plugin does not rewrite URLs inside generated files.
During upload it prints colored, structured console logs for START, one UPLOADED line per completed upload, SUCCESS, and ERROR. Uploads run with a bounded concurrency of 3 by default unless overridden by concurrency.
By default, the plugin reads these environment variables when the corresponding option is not provided:
SCS_ACCESS_KEYSCS_SECRET_KEYSCS_HOSTFAQs
Upload built assets to a CDN and update asset URLs.
We found that @sohu-bpd/vite-plugin-cdn-upload demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.