MAL-2026-10687

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/selparsecss-selector/MAL-2026-10687.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10687
Published
2026-07-15T17:54:33Z
Modified
2026-07-15T18:19:27.563978335Z
Summary
Malicious code in selparsecss-selector (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f4f8e230628f3622bf88bcd590f98f8065a99ea3e71ef1bf3c330439b7671e1f)

selparsecss-selector@2.1.0 is a name-confusion fork of postcss-selector-parser: package.json declares author 'Ai Pyramid' pyramid.info@gmail.com while the LICENSE-MIT, source tree, API, and CHANGELOG are copied verbatim from the upstream postcss-selector-parser (Ben Briggs). The tarball ships dist/util/webpack.min.js, a ~40KB obfuscator.io-packed bundle with a rotated 757-entry string array and an RC4+base64+XOR string decoder, whose top-level IIFE destructures exec and execSync from childprocess, branches on values returned by the os module, and calls process.exit(1) on specific conditions. A CSS-selector parser has no functional need for childprocess shell execution. Additionally, propPaths.js and selectors/wrapper.js reconstruct filenames such as 'wrapper.js' and the extension '.jsc' from CSS-hex-escape sequences via an unesc helper, and the package declares bytenode as a runtime dependency; bytenode registers a require hook for opaque V8-bytecode.jsc files, providing a loader path for code that cannot be inspected as source. The combination — impersonated identity, obfuscated child_process-execution bundle, and hex-obfuscated bytenode load scaffolding — is a supply-chain attack shape targeting developers who intended to install postcss-selector-parser.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010686",
            "import_time": "2026-07-15T17:59:56.223638056Z",
            "sha256": "410937a56e887da6bbd58478fa87b0ad0d4bf7d7074bc79f9c28e53d2615ffbd",
            "versions": [
                "1.1.0"
            ],
            "modified_time": "2026-07-15T17:54:33Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010688",
            "import_time": "2026-07-15T17:59:56.418114424Z",
            "sha256": "431ad1bb3fe03628a36206d3b32706c18c40e8f2471d88ce5c7f8550005a6fde",
            "versions": [
                "2.0.0"
            ],
            "modified_time": "2026-07-15T17:55:13Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010687",
            "import_time": "2026-07-15T17:59:56.336203066Z",
            "sha256": "464e8f88d8ae9eb9994a91abed0f03e697144d142315afcc59571f579db2ad34",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-07-15T17:54:44Z"
        },
        {
            "id": "IN-MAL-2026-010689",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T17:59:56.497420135Z",
            "sha256": "f4f8e230628f3622bf88bcd590f98f8065a99ea3e71ef1bf3c330439b7671e1f",
            "versions": [
                "2.1.0"
            ],
            "modified_time": "2026-07-15T17:55:34Z"
        }
    ]
}
References
Credits

Affected packages

npm / selparsecss-selector

Package

Name
selparsecss-selector
View open source insights on deps.dev
Purl
pkg:npm/selparsecss-selector

Affected ranges

Affected versions

1.*
1.0.0
1.1.0
2.*
2.0.0
2.1.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/selparsecss-selector/MAL-2026-10687.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "selparsecss-selector-1.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-/r3RwVTR4AehaS6so4mZLcCyJO8zypEgCrzlrx/wlhyKoqQpgppSh0RqBfqKeYEH6fcr/h6xtCeUIMsJ9/26kw==",
                "sha1": "c4d1f8814e41f55a5ae22cb28a4f9cd4171ecc14"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/parser.js",
            "sha256": "dcbf3f76ce3b9f4983a36f70b14ce93065975b17ab9420ea739908256545d087",
            "tlsh": "16230e5a9dfb10299223b5bc2f6f64147638810b0548d81c7d9cc2d0afe056987abffd"
        },
        {
            "path": "dist/util/webpack.min.js",
            "sha256": "c93812164247893d4d4d9b9ef125cec5dbc9abef21400a4db1c7aa65bbe5c369",
            "tlsh": "d2033cadb5eaf691127368a51d9b3517a5eb78c13005d802deb8588c3c6372cf1e3dac"
        },
        {
            "path": "package.json",
            "sha256": "aaf813fbc12b022d55b2d0f7ef83dd796d9aa2427649d1da0d102680442f0ff7",
            "tlsh": "fa319921dc594c2325ee65aa3ca8a211b530c457ce88fc6873c4411c2f1da6f69ba8ae"
        }
    ]
}