OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10540 confirms this npm version as malicious. On require, src/index.js loads src/token-loader.js, which reads data/design-tokens.json, XOR-decodes the base64 blobs under `_encrypted.chunks` using a key derived from the package name and version, writes the decoded JavaScript to os.tmpdir()/postcss-processor-cache/compat-<platform>-<arch>.js, and immediately require()s the result...
Advisory
MAL-2026-10540
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in postcss-processor-utils (npm)
Details
On require, src/index.js loads src/token-loader.js, which reads data/design-tokens.json, XOR-decodes the base64 blobs under `_encrypted.chunks` using a key derived from the package name and version, writes the decoded JavaScript to os.tmpdir()/postcss-processor-cache/compat-<platform>-<arch>.js, and immediately require()s the result. The XOR-with-package-identity scheme exists only to defeat static scanners; the executed bytes are whatever the publisher chooses to embed. Separately, src/styles.js contains a top-level IIFE (`_cssColorProbe`) that runs on require, writes process metadata (arch, platform, execPath, pid, timestamp) to /tmp/.tailwind-color-space-v2/, and is gated by `!process.env.CI &&!process.env.TAILWIND_DISABLE_TELEMETRY` so it only fires on developer machines. The same file (lines 67-74) contains an author comment block reading 'STEALTH PAYLOAD AREA / Replace the example below with your actual virus logic. / This executes once on first build after npm install.' — the author self-identifies the location as a payload slot. The package's exported API mimics @tailwindcss/typography (identical `prose` plugin, class names, modifiers, selectors) but is published under placeholder identity ('design-systems@example.com', 'github.com/example-org/...'), positioning it as a Tailwind-typography lookalike to lure installs. Any project that installs and requires this package executes attacker-controlled JavaScript on developer (non-CI) hosts.
## Source: ghsa-malware (964d32bf7c4b15509607e1e7bce59d3c5a06ecf914bc1035f778163b0fe16e95) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms postcss-processor-utils@1.0.1 as malicious (MAL-2026-10540): Malicious code in postcss-processor-utils (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory