registry  /  animated-css-kit  /  1.0.1

animated-css-kit@1.0.1

PostCSS plugin for processing animate.css with custom animation options - adds vendor prefixes and injects CSS variables

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10432 confirms this npm version as malicious. The package presents itself as a PostCSS plugin for animate.css, but its main export (src/plugin.js `createPlugin`) synchronously triggers src/side-effects.js, which is heavily obfuscated (obfuscator.io string-array with RC4 decoding, anti-debug via Function.prototype.toString inspection, console-method hijacking) while the rest of the src/*.js tree is plain unobfuscated PostCSS code...

Advisory
MAL-2026-10432
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in animated-css-kit (npm)
Details
The package presents itself as a PostCSS plugin for animate.css, but its main export (src/plugin.js `createPlugin`) synchronously triggers src/side-effects.js, which is heavily obfuscated (obfuscator.io string-array with RC4 decoding, anti-debug via Function.prototype.toString inspection, console-method hijacking) while the rest of the src/*.js tree is plain unobfuscated PostCSS code. The obfuscated module fetches a remote JSON payload, base64-decodes its `message` field, and executes it via `new Function('require', m)(require)`, handing the caller's `require` to attacker-supplied code with retry-up-to-10-times logic. This fires when a consumer imports the package and instantiates the exported plugin (the documented usage in a build pipeline), giving the attacker arbitrary code execution on the installer/build machine with full access to the surrounding Node.js environment. The clean plugin surface + targeted obfuscation of only the network-and-eval module + evocative name mimicking the animate.css ecosystem are consistent with a supply-chain attack using a cover-story package.
Decision reason
OpenSSF Malicious Packages via OSV confirms animated-css-kit@1.0.1 as malicious (MAL-2026-10432): Malicious code in animated-css-kit (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory