MAL-2026-5737
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/postcss-minify-selector-parser/MAL-2026-5737.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5737
- Published
- 2026-06-13T07:17:40Z
- Modified
- 2026-06-13T07:31:42.461600278Z
- Summary
- Malicious code in postcss-minify-selector-parser (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (957f5cbb74f4dd4b4770e8c9cc1a8aac88a4450cb01dbc0fa5242c42e343f54c)
The package name impersonates the widely-used postcss-selector-parser library (which it also declares as a dependency and re-exports verbatim from src/selector-parser.js, providing cover for installers who mistype the real package). On top of that legitimate re-export, the package ships a sealed AES-GCM ciphertext as DEFAULTFINALENCODED_TEXT in src/config/defaults.js together with a hardcoded passphrase (
default-dev-passphrase) and salt. src/pipeline/custom-codec-pipeline.js line 53 decrypts the blob and evaluates the cleartext vianew Function("require", runnable)(require), handing the decrypted code fullrequirecapability on the installer's machine. This decode-and-eval path is reachable through the package's exportedrun/decodeAndRunPlain/runDefaultDecodedFunctionAPI, throughrequire('postcss-minify-selector-parser/cjs-runner'), and through the bundledruntime/lib.min.jsandscripts/cjs-runner.js. The README documents none of this — it presents the package as a CSS selector parser. The combination of typosquat name, hidden encrypted payload, multi-layer custom codec pipeline (position-unit-codec + encode-decode-codec + AES-GCM) used solely to wrap that payload, and directnew Function(require)execution of the decrypted bytes is the canonical opaque-blob-eval supply-chain attack shape. Author field is empty, no repository URL is declared, license is generic ISC. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006349", "versions": [ "1.0.15" ], "sha256": "148543868c09650c18d4bb3014bbe60bad9b59e3a12d23ab16dddb3ebfa49fe1", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:45Z", "import_time": "2026-06-13T07:25:41.985638693Z" }, { "id": "IN-MAL-2026-006347", "versions": [ "1.0.17" ], "sha256": "1ba4406fdfc91cb0ec42b98b813ca5f6b859eae24f064be244293ae505c118a7", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:44Z", "import_time": "2026-06-13T07:25:41.709854891Z" }, { "id": "IN-MAL-2026-006344", "versions": [ "1.0.13" ], "sha256": "8a8af65bfa1b7dc7b28f718bff60b6fa76a786bbbbf92b570a1fc1ae0ecf1834", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:42Z", "import_time": "2026-06-13T07:25:41.460400188Z" }, { "id": "IN-MAL-2026-006357", "versions": [ "1.0.18" ], "sha256": "ca68c7aff52a1094d88d97893fbe50517c878a58043373be7b7cf70b3cdf4641", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:49Z", "import_time": "2026-06-13T07:25:42.63326585Z" }, { "id": "IN-MAL-2026-006351", "versions": [ "1.0.15" ], "sha256": "ec19903d44f3fd8e9ccddcf9477d64ea01b41a27d939a385454d66394d5e29a4", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:46Z", "import_time": "2026-06-13T07:25:42.177856798Z" }, { "id": "IN-MAL-2026-006346", "import_time": "2026-06-13T07:25:41.593228529Z", "sha256": "33c1cf9ccc165629c91ebab0a73464734b81a31ea6e845aa97740a2eb1554283", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:43Z", "versions": [ "1.0.13" ] }, { "id": "IN-MAL-2026-006350", "import_time": "2026-06-13T07:25:42.096582455Z", "sha256": "5e05f8d236cfbc9ea0b7405a36cf28130f038c6a4af086f73883a25d68e7957d", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:46Z", "versions": [ "1.0.14" ] }, { "id": "IN-MAL-2026-006343", "import_time": "2026-06-13T07:25:41.40143884Z", "sha256": "957f5cbb74f4dd4b4770e8c9cc1a8aac88a4450cb01dbc0fa5242c42e343f54c", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:41Z", "versions": [ "1.0.16" ] }, { "id": "IN-MAL-2026-006341", "versions": [ "2.0.1" ], "sha256": "d2d21adbc821f5e075a768a69ead3dd95330b0696159d2ac4d345806ad349d0d", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:40Z", "import_time": "2026-06-13T07:25:41.257004345Z" }, { "id": "IN-MAL-2026-006345", "versions": [ "1.0.16" ], "sha256": "f04cd7d7c790bb5aeae048484a106987c999cc74b9ff1ea369fa8177fc1e982e", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:43Z", "import_time": "2026-06-13T07:25:41.547191779Z" }, { "id": "IN-MAL-2026-006342", "versions": [ "2.0.1" ], "sha256": "f9aec6416f221aa55e21bbe373e6745933ad49efafa3565841b0bea17e3611e1", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:41Z", "import_time": "2026-06-13T07:25:41.345413317Z" }, { "id": "IN-MAL-2026-006354", "versions": [ "1.0.11" ], "sha256": "51afcd0436194b387c2a4b619de4e504c65611ec3c20fb638042cd5af3811c26", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:48Z", "import_time": "2026-06-13T07:25:42.413755812Z" }, { "id": "IN-MAL-2026-006352", "versions": [ "1.0.14" ], "sha256": "73e277b5c3910fc3758b78979f2a73284852d56f23e9ed59dac8a7d16dfffc0b", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:46Z", "import_time": "2026-06-13T07:25:42.23967175Z" }, { "id": "IN-MAL-2026-006358", "import_time": "2026-06-13T07:25:42.753854028Z", "sha256": "8df97549294149dcf730bf7af26d825d7072f6fac463adaba700ec4da3c84730", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:52Z", "versions": [ "1.0.12" ] }, { "id": "IN-MAL-2026-006353", "versions": [ "1.0.11" ], "sha256": "93307191fd0206cb7dc1f18d1f7c1cc008f14cb6807784bf9ec6223097190eaf", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:47Z", "import_time": "2026-06-13T07:25:42.349090024Z" }, { "id": "IN-MAL-2026-006348", "versions": [ "1.0.17" ], "sha256": "c6c670fb58865bb761a89229428b8568079889c02913d1619623619168e9e5e6", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:45Z", "import_time": "2026-06-13T07:25:41.859479966Z" }, { "id": "IN-MAL-2026-006356", "import_time": "2026-06-13T07:25:42.563898834Z", "sha256": "f197723d2fd19b293e1dec876c169fc7dab6b2075dc936793452c9eace76de8a", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:49Z", "versions": [ "1.0.18" ] }, { "id": "IN-MAL-2026-006355", "versions": [ "1.0.12" ], "sha256": "a6216015cbdb41be2fcb6e05cee8d9edb610c04b50cac6ca7577f14fb5e60be9", "source": "amazon-inspector", "modified_time": "2026-06-13T07:17:48Z", "import_time": "2026-06-13T07:25:42.486957071Z" } ] }- References
-
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.15
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.17
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.13
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.14
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.16
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/2.0.1
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.11
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.18
- https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.12
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / postcss-minify-selector-parser
Package
- Name
- postcss-minify-selector-parser
- View open source insights on deps.dev
- Purl
- pkg:npm/postcss-minify-selector-parser
Database specific
indicators
{
"evidence_files": [
{
"path": "src/pipeline/custom-codec-pipeline.js",
"sha256": "6a38f4170e8e82254423040d311c8164b3d928ebc00cd7a95a8f22bee75ce128",
"tlsh": "367130c23cbf79c71d9bed64f0af0869186ca7113505f268aca953c80aeb275d123c8d"
},
{
"path": "package.json",
"sha256": "401217b0f03f7624b49dce3788bae66ffb7ff7de9cc6f8378742557a1f077740",
"tlsh": "7021f400de104d7335ca9d6e3c6a1446907a94870a84bc483b4587ac4f9d5bf51fb3ae"
},
{
"path": "src/config/defaults.js",
"sha256": "ef36cbe227547ce6b4153010cb9350e25a7c09fb3f0a385be77612fa06ba4b54",
"tlsh": "1f32cf7e7807033e81787bf1c8b46d266db22c3af06e3a154f7c40db6a46a07497256e"
}
],
"package_integrity": [
{
"filename": "postcss-minify-selector-parser-1.0.15.tgz",
"hashes": {
"sha512_sri": "sha512-zxCQf8/w+3FiA6WhdVWGajEZENyhEyzx3ppuHFPhX0xAtj0KfY9dGioYB667nGIjnOox2zQWToXFwVW5imoGjg==",
"sha1": "4e7eade3e30c0a65770c5a4eccd6313ee4b8a271"
}
}
],
"ips": [
"104.16.5.34",
"10.1.0.2"
]
}
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/postcss-minify-selector-parser/MAL-2026-5737.json"