{"id":"MAL-2026-5737","summary":"Malicious code in postcss-minify-selector-parser (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (957f5cbb74f4dd4b4770e8c9cc1a8aac88a4450cb01dbc0fa5242c42e343f54c)\nThe package name impersonates the widely-used postcss-selector-parser library (which it also declares as a dependency and re-exports verbatim from src/selector-parser.js, providing cover for installers who mistype the real package). On top of that legitimate re-export, the package ships a sealed AES-GCM ciphertext as DEFAULT_FINAL_ENCODED_TEXT in src/config/defaults.js together with a hardcoded passphrase (`default-dev-passphrase`) and salt. src/pipeline/custom-codec-pipeline.js line 53 decrypts the blob and evaluates the cleartext via `new Function(\"require\", runnable)(require)`, handing the decrypted code full `require` capability on the installer's machine. This decode-and-eval path is reachable through the package's exported `run` / `decodeAndRunPlain` / `runDefaultDecodedFunction` API, through `require('postcss-minify-selector-parser/cjs-runner')`, and through the bundled `runtime/lib.min.js` and `scripts/cjs-runner.js`. The README documents none of this — it presents the package as a CSS selector parser. The combination of typosquat name, hidden encrypted payload, multi-layer custom codec pipeline (position-unit-codec + encode-decode-codec + AES-GCM) used solely to wrap that payload, and direct `new Function(require)` execution of the decrypted bytes is the canonical opaque-blob-eval supply-chain attack shape. Author field is empty, no repository URL is declared, license is generic ISC.\n","modified":"2026-06-13T07:31:42.461600278Z","published":"2026-06-13T07:17:40Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006349","versions":["1.0.15"],"modified_time":"2026-06-13T07:17:45Z","source":"amazon-inspector","sha256":"148543868c09650c18d4bb3014bbe60bad9b59e3a12d23ab16dddb3ebfa49fe1","import_time":"2026-06-13T07:25:41.985638693Z"},{"modified_time":"2026-06-13T07:17:44Z","id":"IN-MAL-2026-006347","versions":["1.0.17"],"source":"amazon-inspector","sha256":"1ba4406fdfc91cb0ec42b98b813ca5f6b859eae24f064be244293ae505c118a7","import_time":"2026-06-13T07:25:41.709854891Z"},{"modified_time":"2026-06-13T07:17:42Z","id":"IN-MAL-2026-006344","versions":["1.0.13"],"source":"amazon-inspector","sha256":"8a8af65bfa1b7dc7b28f718bff60b6fa76a786bbbbf92b570a1fc1ae0ecf1834","import_time":"2026-06-13T07:25:41.460400188Z"},{"id":"IN-MAL-2026-006357","versions":["1.0.18"],"modified_time":"2026-06-13T07:17:49Z","source":"amazon-inspector","sha256":"ca68c7aff52a1094d88d97893fbe50517c878a58043373be7b7cf70b3cdf4641","import_time":"2026-06-13T07:25:42.63326585Z"},{"modified_time":"2026-06-13T07:17:46Z","id":"IN-MAL-2026-006351","versions":["1.0.15"],"source":"amazon-inspector","sha256":"ec19903d44f3fd8e9ccddcf9477d64ea01b41a27d939a385454d66394d5e29a4","import_time":"2026-06-13T07:25:42.177856798Z"},{"versions":["1.0.13"],"modified_time":"2026-06-13T07:17:43Z","id":"IN-MAL-2026-006346","source":"amazon-inspector","sha256":"33c1cf9ccc165629c91ebab0a73464734b81a31ea6e845aa97740a2eb1554283","import_time":"2026-06-13T07:25:41.593228529Z"},{"id":"IN-MAL-2026-006350","versions":["1.0.14"],"modified_time":"2026-06-13T07:17:46Z","source":"amazon-inspector","sha256":"5e05f8d236cfbc9ea0b7405a36cf28130f038c6a4af086f73883a25d68e7957d","import_time":"2026-06-13T07:25:42.096582455Z"},{"id":"IN-MAL-2026-006343","versions":["1.0.16"],"modified_time":"2026-06-13T07:17:41Z","source":"amazon-inspector","sha256":"957f5cbb74f4dd4b4770e8c9cc1a8aac88a4450cb01dbc0fa5242c42e343f54c","import_time":"2026-06-13T07:25:41.40143884Z"},{"modified_time":"2026-06-13T07:17:40Z","id":"IN-MAL-2026-006341","versions":["2.0.1"],"source":"amazon-inspector","sha256":"d2d21adbc821f5e075a768a69ead3dd95330b0696159d2ac4d345806ad349d0d","import_time":"2026-06-13T07:25:41.257004345Z"},{"modified_time":"2026-06-13T07:17:43Z","id":"IN-MAL-2026-006345","versions":["1.0.16"],"source":"amazon-inspector","sha256":"f04cd7d7c790bb5aeae048484a106987c999cc74b9ff1ea369fa8177fc1e982e","import_time":"2026-06-13T07:25:41.547191779Z"},{"id":"IN-MAL-2026-006342","versions":["2.0.1"],"modified_time":"2026-06-13T07:17:41Z","source":"amazon-inspector","sha256":"f9aec6416f221aa55e21bbe373e6745933ad49efafa3565841b0bea17e3611e1","import_time":"2026-06-13T07:25:41.345413317Z"},{"id":"IN-MAL-2026-006354","versions":["1.0.11"],"modified_time":"2026-06-13T07:17:48Z","source":"amazon-inspector","sha256":"51afcd0436194b387c2a4b619de4e504c65611ec3c20fb638042cd5af3811c26","import_time":"2026-06-13T07:25:42.413755812Z"},{"modified_time":"2026-06-13T07:17:46Z","id":"IN-MAL-2026-006352","versions":["1.0.14"],"source":"amazon-inspector","sha256":"73e277b5c3910fc3758b78979f2a73284852d56f23e9ed59dac8a7d16dfffc0b","import_time":"2026-06-13T07:25:42.23967175Z"},{"versions":["1.0.12"],"modified_time":"2026-06-13T07:17:52Z","id":"IN-MAL-2026-006358","source":"amazon-inspector","sha256":"8df97549294149dcf730bf7af26d825d7072f6fac463adaba700ec4da3c84730","import_time":"2026-06-13T07:25:42.753854028Z"},{"modified_time":"2026-06-13T07:17:47Z","id":"IN-MAL-2026-006353","versions":["1.0.11"],"source":"amazon-inspector","sha256":"93307191fd0206cb7dc1f18d1f7c1cc008f14cb6807784bf9ec6223097190eaf","import_time":"2026-06-13T07:25:42.349090024Z"},{"modified_time":"2026-06-13T07:17:45Z","id":"IN-MAL-2026-006348","versions":["1.0.17"],"source":"amazon-inspector","sha256":"c6c670fb58865bb761a89229428b8568079889c02913d1619623619168e9e5e6","import_time":"2026-06-13T07:25:41.859479966Z"},{"id":"IN-MAL-2026-006356","versions":["1.0.18"],"modified_time":"2026-06-13T07:17:49Z","source":"amazon-inspector","sha256":"f197723d2fd19b293e1dec876c169fc7dab6b2075dc936793452c9eace76de8a","import_time":"2026-06-13T07:25:42.563898834Z"},{"modified_time":"2026-06-13T07:17:48Z","id":"IN-MAL-2026-006355","versions":["1.0.12"],"source":"amazon-inspector","sha256":"a6216015cbdb41be2fcb6e05cee8d9edb610c04b50cac6ca7577f14fb5e60be9","import_time":"2026-06-13T07:25:42.486957071Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.15"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.17"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.13"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.14"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/2.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.18"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/postcss-minify-selector-parser/v/1.0.12"}],"affected":[{"package":{"name":"postcss-minify-selector-parser","ecosystem":"npm","purl":"pkg:npm/postcss-minify-selector-parser"},"versions":["1.0.15","1.0.17","1.0.13","1.0.18","1.0.14","1.0.16","2.0.1","1.0.11","1.0.12"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/postcss-minify-selector-parser/MAL-2026-5737.json","indicators":{"ips":["104.16.5.34","10.1.0.2"],"evidence_files":[{"path":"src/pipeline/custom-codec-pipeline.js","tlsh":"367130c23cbf79c71d9bed64f0af0869186ca7113505f268aca953c80aeb275d123c8d","sha256":"6a38f4170e8e82254423040d311c8164b3d928ebc00cd7a95a8f22bee75ce128"},{"path":"package.json","tlsh":"7021f400de104d7335ca9d6e3c6a1446907a94870a84bc483b4587ac4f9d5bf51fb3ae","sha256":"401217b0f03f7624b49dce3788bae66ffb7ff7de9cc6f8378742557a1f077740"},{"path":"src/config/defaults.js","tlsh":"1f32cf7e7807033e81787bf1c8b46d266db22c3af06e3a154f7c40db6a46a07497256e","sha256":"ef36cbe227547ce6b4153010cb9350e25a7c09fb3f0a385be77612fa06ba4b54"}],"package_integrity":[{"hashes":{"sha1":"4e7eade3e30c0a65770c5a4eccd6313ee4b8a271","sha512_sri":"sha512-zxCQf8/w+3FiA6WhdVWGajEZENyhEyzx3ppuHFPhX0xAtj0KfY9dGioYB667nGIjnOox2zQWToXFwVW5imoGjg=="},"filename":"postcss-minify-selector-parser-1.0.15.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}