-= Per source details. Do not edit below this line.=-
Package is published as postcss-selector-minify (a word-order permutation of cssnano's widely used postcss-minify-selectors) and registers itself to PostCSS under the legitimate plugin's id postcss-minify-selectors, so consumers who mistype or misremember the cssnano plugin name receive a different publisher's package that self-identifies as the real one. On require(), the main entry performs a bare side-effect import of layerd-unit-codec-parser/cjs-runner (return value discarded) before any other work, and replaces the de-facto-standard postcss-selector-parser with layerd-unit-codec-parser/selector-parser (the standard parser is demoted to devDependencies). layerd-unit-codec-parser is an obscure package whose name has no relation to CSS or PostCSS; the /cjs-runner submodule path is shaped specifically to execute code on load. Installing this package silently pulls layerd-unit-codec-parser into the consumer's dependency tree and runs its cjs-runner module on every require of the wrapper.
{
"malicious-packages-origins": [
{
"sha256": "92fec62079856815ded46ba283769d3d3e0d20e08b6196b8698e08e2df6677ee",
"versions": [
"2.0.0"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010562",
"modified_time": "2026-07-14T20:18:29Z",
"import_time": "2026-07-14T20:28:24.753368625Z"
}
]
}[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"evidence_files": [
{
"path": "src/index.js",
"sha256": "68505b605713084bb2138cac12e38447e40f6de25c558956449cf591706d7528",
"tlsh": "a50221dd165512314d7fbbfb9e965518ff2602eb220091d1b8ae42401f72a144366eff"
}
],
"package_integrity": [
{
"filename": "postcss-selector-minify-2.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-J5qvmnFs6yuF/otnXiGyu1Jmj8s6sEFrA07H4P+lMN9gN4E0oU5qtcdVPNgImZErIZhlsq70sDUir+jklHKmaw==",
"sha1": "8335df7c9e774806f61602c8284a35795f195386"
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/postcss-selector-minify/MAL-2026-10614.json"