registry  /  animatecss-postcss-plugin  /  1.0.1

animatecss-postcss-plugin@1.0.1

OSV Malicious Advisory

scanned 13h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6495 confirms this npm version as malicious. animatecss-postcss-plugin@1.0.1 ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder (functions _0xa311, _0x4399, _0x12b0 with a ~120-entry encoded string table). When the exported plugin factory is invoked during a CSS build, it constructs a URL from the decoded string array, performs an HTTP fetch with a 60s AbortController and a retry loop (attempts 1..10),...

Advisory
MAL-2026-6495
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in animatecss-postcss-plugin (npm)
Details
animatecss-postcss-plugin@1.0.1 ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder (functions _0xa311, _0x4399, _0x12b0 with a ~120-entry encoded string table). When the exported plugin factory is invoked during a CSS build, it constructs a URL from the decoded string array, performs an HTTP fetch with a 60s AbortController and a retry loop (attempts 1..10), base64-decodes the response body's `message` field via Buffer.from(k, 'base64').toString('utf-8'), and executes the resulting JavaScript via `new Function('require', _)(require)` — giving the remote payload full Node `require` access inside the developer's build process. There is no legitimate reason for a PostCSS prefix-injection plugin to fetch and eval remote code, and the heavy obfuscation around the fetch destination and payload-handling logic confirms intent to hide the behavior from casual review. Any project that installs this plugin and runs its CSS build will execute attacker-controlled JavaScript with the privileges of the build process. ## Source: ghsa-malware (d47c1d7e46882283bbc8692e516a9523b7a15dd96654d68799c1c31b9040e65c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms animatecss-postcss-plugin@1.0.1 as malicious (MAL-2026-6495): Malicious code in animatecss-postcss-plugin (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory