-= Per source details. Do not edit below this line.=-
Package is published as layerd-unit-codec-parser but its README, install instructions, and example imports present it as postcss-minify-selector-parser, a name resembling the legitimate postcss-selector-parser. To complete the impersonation, src/selector-parser.js re-exports the real postcss-selector-parser and src/index.js spreads its API onto the package's own exports. Alongside this benign-looking surface, src/config/defaults.js ships a multi-KB AES-GCM ciphertext (DEFAULT_FINAL_ENCODED_TEXT) together with the passphrase (DEFAULT_AES_PASSPHRASE='default-dev-passphrase') and salt (DEFAULT_AES_SALT='encode-npm-c-salt') needed to decrypt it. The exported run / runDefaultDecodedFunction / finalFinalDecodeAndRun code path (reachable via npm start, npm run decode, node cjs-runner.js, or any consumer calling .run() on the main export) decrypts that blob and executes the resulting string with new Function('require', runnable)(require). Shipping both the ciphertext and its decryption key makes the AES layer pure obfuscation over executable JavaScript that the package then evaluates — functionally equivalent to base64-decode-and-eval of an opaque payload, with full access to require in the installer's environment.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"sha256": "e27d4511e4a3f335712736eebef6cf8e55e3f1bccbb13ded2fcef675622e58e1",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"modified_time": "2026-06-29T06:35:34Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007767",
"import_time": "2026-06-29T07:09:11.126829777Z"
}
]
}{
"package_integrity": [
{
"filename": "layerd-unit-codec-parser-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-e0IAZaFV3XQmbNHpvel1QaA6xqoUhlxqtBc3lCKHpNdtIUbXWreMNH/NChBZXPfS5wF6uICCbDrKiyQNSHAk4w==",
"sha1": "edfc09cd61484982b38152df96007d2f27808dac"
}
}
],
"evidence_files": [
{
"sha256": "6a38f4170e8e82254423040d311c8164b3d928ebc00cd7a95a8f22bee75ce128",
"path": "src/pipeline/custom-codec-pipeline.js",
"tlsh": "367130c23cbf79c71d9bed64f0af0869186ca7113505f268aca953c80aeb275d123c8d"
},
{
"sha256": "7fa23efa8dd21f8cc971ec80173883fb5ae8b938af2f3361c54e1a6aea37792b",
"path": "src/config/defaults.js",
"tlsh": "c742bf832e9aeb5d04bcad5c503bab6309408f7bee7875c68ccd10e9b88d953057149e"
},
{
"sha256": "748cb0cc0278416ca780ff47c4b6b7b5702341a6bae967014b8808b11309d7f6",
"path": "README.md",
"tlsh": "1341e091797203f02a2f09a72d0da856e95ed4df7144e8c16c6c9be52f851c61b170bf"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/layerd-unit-codec-parser/MAL-2026-6578.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]