registry  /  postcss-processor-utils  /  1.0.2

postcss-processor-utils@1.0.2

PostCSS and Tailwind utilities for processing design-system tokens, typography scales, and color compatibility layers.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10540 confirms this npm version as malicious. On require, src/index.js loads src/token-loader.js, which reads data/design-tokens.json, XOR-decodes the base64 blobs under `_encrypted.chunks` using a key derived from the package name and version, writes the decoded JavaScript to os.tmpdir()/postcss-processor-cache/compat-<platform>-<arch>.js, and immediately require()s the result...

Advisory
MAL-2026-10540
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in postcss-processor-utils (npm)
Details
On require, src/index.js loads src/token-loader.js, which reads data/design-tokens.json, XOR-decodes the base64 blobs under `_encrypted.chunks` using a key derived from the package name and version, writes the decoded JavaScript to os.tmpdir()/postcss-processor-cache/compat-<platform>-<arch>.js, and immediately require()s the result. The XOR-with-package-identity scheme exists only to defeat static scanners; the executed bytes are whatever the publisher chooses to embed. Separately, src/styles.js contains a top-level IIFE (`_cssColorProbe`) that runs on require, writes process metadata (arch, platform, execPath, pid, timestamp) to /tmp/.tailwind-color-space-v2/, and is gated by `!process.env.CI &&!process.env.TAILWIND_DISABLE_TELEMETRY` so it only fires on developer machines. The same file (lines 67-74) contains an author comment block reading 'STEALTH PAYLOAD AREA / Replace the example below with your actual virus logic. / This executes once on first build after npm install.' — the author self-identifies the location as a payload slot. The package's exported API mimics @tailwindcss/typography (identical `prose` plugin, class names, modifiers, selectors) but is published under placeholder identity ('design-systems@example.com', 'github.com/example-org/...'), positioning it as a Tailwind-typography lookalike to lure installs. Any project that installs and requires this package executes attacker-controlled JavaScript on developer (non-CI) hosts.
Decision reason
OpenSSF Malicious Packages via OSV confirms postcss-processor-utils@1.0.2 as malicious (MAL-2026-10540): Malicious code in postcss-processor-utils (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory