{"id":"MAL-2026-6495","summary":"Malicious code in animatecss-postcss-plugin (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6be12cec08d0999c157774b746c3e431825ae61635bb8ddddf36061d4602cec7)\nanimatecss-postcss-plugin@1.0.1 ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder (functions _0xa311, _0x4399, _0x12b0 with a ~120-entry encoded string table). When the exported plugin factory is invoked during a CSS build, it constructs a URL from the decoded string array, performs an HTTP fetch with a 60s AbortController and a retry loop (attempts 1..10), base64-decodes the response body's `message` field via Buffer.from(k, 'base64').toString('utf-8'), and executes the resulting JavaScript via `new Function('require', _)(require)` — giving the remote payload full Node `require` access inside the developer's build process. There is no legitimate reason for a PostCSS prefix-injection plugin to fetch and eval remote code, and the heavy obfuscation around the fetch destination and payload-handling logic confirms intent to hide the behavior from casual review. Any project that installs this plugin and runs its CSS build will execute attacker-controlled JavaScript with the privileges of the build process.\n","modified":"2026-06-26T02:01:23.668369450Z","published":"2026-06-26T01:42:36Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007577","sha256":"6be12cec08d0999c157774b746c3e431825ae61635bb8ddddf36061d4602cec7","modified_time":"2026-06-26T01:42:36Z","import_time":"2026-06-26T01:51:19.289438476Z","versions":["1.0.1"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/animatecss-postcss-plugin/v/1.0.1"}],"affected":[{"package":{"name":"animatecss-postcss-plugin","ecosystem":"npm","purl":"pkg:npm/animatecss-postcss-plugin"},"versions":["1.0.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"f4f826b716e53089f872f70151db9ba1399d0313","sha512_sri":"sha512-s9DdHjAy3pltPPPwZbvpAjRroHfzYYVPiHjpIllMPs8jL7crvOLxbT+/7VXttwQr7qY+ZTtEnqCIKmQwxb0lcw=="},"filename":"animatecss-postcss-plugin-1.0.1.tgz"}],"evidence_files":[{"sha256":"0b70e0c2e0d033b78ccc1a68998ae398f0d77b7947e3397e39ade373fda9bf1a","tlsh":"3b42f8b97461744827b73672c7af248bfe3466933948648875bc83943f32d2881a3f79","path":"index.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/animatecss-postcss-plugin/MAL-2026-6495.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}