MAL-2026-6495

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/animatecss-postcss-plugin/MAL-2026-6495.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6495

Published

2026-06-26T01:42:36Z

Modified

2026-06-26T02:01:23.668369450Z

Summary

Malicious code in animatecss-postcss-plugin (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6be12cec08d0999c157774b746c3e431825ae61635bb8ddddf36061d4602cec7)

animatecss-postcss-plugin@1.0.1 ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder (functions _0xa311, _0x4399, _0x12b0 with a ~120-entry encoded string table). When the exported plugin factory is invoked during a CSS build, it constructs a URL from the decoded string array, performs an HTTP fetch with a 60s AbortController and a retry loop (attempts 1..10), base64-decodes the response body's message field via Buffer.from(k, 'base64').toString('utf-8'), and executes the resulting JavaScript via new Function('require', _)(require) — giving the remote payload full Node require access inside the developer's build process. There is no legitimate reason for a PostCSS prefix-injection plugin to fetch and eval remote code, and the heavy obfuscation around the fetch destination and payload-handling logic confirms intent to hide the behavior from casual review. Any project that installs this plugin and runs its CSS build will execute attacker-controlled JavaScript with the privileges of the build process.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-06-26T01:42:36Z",
            "sha256": "6be12cec08d0999c157774b746c3e431825ae61635bb8ddddf36061d4602cec7",
            "id": "IN-MAL-2026-007577",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T01:51:19.289438476Z"
        }
    ]
}

References

https://www.npmjs.com/package/animatecss-postcss-plugin/v/1.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / animatecss-postcss-plugin

Package

Name: animatecss-postcss-plugin; View open source insights on deps.dev
Purl: pkg:npm/animatecss-postcss-plugin

Affected ranges

Affected versions

1.*

1.0.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "animatecss-postcss-plugin-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-s9DdHjAy3pltPPPwZbvpAjRroHfzYYVPiHjpIllMPs8jL7crvOLxbT+/7VXttwQr7qY+ZTtEnqCIKmQwxb0lcw==",
                "sha1": "f4f826b716e53089f872f70151db9ba1399d0313"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "3b42f8b97461744827b73672c7af248bfe3466933948648875bc83943f32d2881a3f79",
            "sha256": "0b70e0c2e0d033b78ccc1a68998ae398f0d77b7947e3397e39ade373fda9bf1a"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/animatecss-postcss-plugin/MAL-2026-6495.json"