MAL-2026-6578

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/layerd-unit-codec-parser/MAL-2026-6578.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6578
Published
2026-06-29T06:35:34Z
Modified
2026-06-29T07:16:44.466498862Z
Summary
Malicious code in layerd-unit-codec-parser (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e27d4511e4a3f335712736eebef6cf8e55e3f1bccbb13ded2fcef675622e58e1)

Package is published as layerd-unit-codec-parser but its README, install instructions, and example imports present it as postcss-minify-selector-parser, a name resembling the legitimate postcss-selector-parser. To complete the impersonation, src/selector-parser.js re-exports the real postcss-selector-parser and src/index.js spreads its API onto the package's own exports. Alongside this benign-looking surface, src/config/defaults.js ships a multi-KB AES-GCM ciphertext (DEFAULT_FINAL_ENCODED_TEXT) together with the passphrase (DEFAULT_AES_PASSPHRASE='default-dev-passphrase') and salt (DEFAULT_AES_SALT='encode-npm-c-salt') needed to decrypt it. The exported run / runDefaultDecodedFunction / finalFinalDecodeAndRun code path (reachable via npm start, npm run decode, node cjs-runner.js, or any consumer calling .run() on the main export) decrypts that blob and executes the resulting string with new Function('require', runnable)(require). Shipping both the ciphertext and its decryption key makes the AES layer pure obfuscation over executable JavaScript that the package then evaluates — functionally equivalent to base64-decode-and-eval of an opaque payload, with full access to require in the installer's environment.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "e27d4511e4a3f335712736eebef6cf8e55e3f1bccbb13ded2fcef675622e58e1",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-06-29T06:35:34Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007767",
            "import_time": "2026-06-29T07:09:11.126829777Z"
        }
    ]
}
References
Credits

Affected packages

npm / layerd-unit-codec-parser

Package

Name
layerd-unit-codec-parser
View open source insights on deps.dev
Purl
pkg:npm/layerd-unit-codec-parser

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "layerd-unit-codec-parser-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-e0IAZaFV3XQmbNHpvel1QaA6xqoUhlxqtBc3lCKHpNdtIUbXWreMNH/NChBZXPfS5wF6uICCbDrKiyQNSHAk4w==",
                "sha1": "edfc09cd61484982b38152df96007d2f27808dac"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "6a38f4170e8e82254423040d311c8164b3d928ebc00cd7a95a8f22bee75ce128",
            "path": "src/pipeline/custom-codec-pipeline.js",
            "tlsh": "367130c23cbf79c71d9bed64f0af0869186ca7113505f268aca953c80aeb275d123c8d"
        },
        {
            "sha256": "7fa23efa8dd21f8cc971ec80173883fb5ae8b938af2f3361c54e1a6aea37792b",
            "path": "src/config/defaults.js",
            "tlsh": "c742bf832e9aeb5d04bcad5c503bab6309408f7bee7875c68ccd10e9b88d953057149e"
        },
        {
            "sha256": "748cb0cc0278416ca780ff47c4b6b7b5702341a6bae967014b8808b11309d7f6",
            "path": "README.md",
            "tlsh": "1341e091797203f02a2f09a72d0da856e95ed4df7144e8c16c6c9be52f851c61b170bf"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/layerd-unit-codec-parser/MAL-2026-6578.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]