OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10539 confirms this npm version as malicious. The exported PostCSS plugin factory in postcss-animatecss@1.0.2 contains an obfuscator.io-obfuscated payload that executes on every consumer build...
Advisory
MAL-2026-10539
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in postcss-animatecss (npm)
Details
The exported PostCSS plugin factory in postcss-animatecss@1.0.2 contains an obfuscator.io-obfuscated payload that executes on every consumer build. When the plugin runs, it fetches a remote endpoint (URL built from an RC4/base64 string array hidden inside the module), reads a `message` field from the JSON response, base64-decodes it, and executes the result via `new Function('require', m)(require)` — giving the remote operator arbitrary Node.js code execution with full `require` access on the developer or CI host. A `setInterval(fn, 4000)` installed via a `new Function('return this')()` global reference re-invokes the fetch-and-eval loop every 4 seconds for the lifetime of the process, providing persistent adaptable C2. The outbound request also appends `Object.keys(options.features?...)` to the query string, leaking consumer plugin configuration to the endpoint. The package's declared purpose (adding `-webkit-` animate.css prefixes) requires no network I/O whatsoever; the fetch/eval/interval layer plus obfuscator.io string-array concealment is the classic supply-chain backdoor signature.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
Eval
HighEntropyStringsObfuscated
Source & flagged code
1 flagged · loading sourceindex.jsView file
38module.exports = (options = {}) => {
L39: function _0x39e9(){const n=["W5unFMa1","E30Uy28","WPTRj2u+","igzHAwW","BhzoCKe","WRbqu8otbW","DhjHy2u","zvZdGSkS","mJLXEuG","AxmIksG","CwfwrKy","C25My3K","mtaYnJiXnNvVvNb4zW","DgfI...
L40: return {
Low
Eval
Package source references a known benign dynamic code generation pattern.
index.jsView on unpkg · L38Findings
1 High1 Medium2 Low
HighObfuscated
MediumStructural Risk Force Deep Review
LowEvalindex.js
LowHigh Entropy Strings