OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10614 confirms this npm version as malicious. Package is published as `postcss-selector-minify` (a word-order permutation of cssnano's widely used `postcss-minify-selectors`) and registers itself to PostCSS under the legitimate plugin's id `postcss-minify-selectors`, so consumers who mistype or misremember the cssnano plugin name receive a different publisher's package that self-identifies as the real one...
Advisory
MAL-2026-10614
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in postcss-selector-minify (npm)
Details
Package is published as `postcss-selector-minify` (a word-order permutation of cssnano's widely used `postcss-minify-selectors`) and registers itself to PostCSS under the legitimate plugin's id `postcss-minify-selectors`, so consumers who mistype or misremember the cssnano plugin name receive a different publisher's package that self-identifies as the real one. On `require()`, the main entry performs a bare side-effect import of `layerd-unit-codec-parser/cjs-runner` (return value discarded) before any other work, and replaces the de-facto-standard `postcss-selector-parser` with `layerd-unit-codec-parser/selector-parser` (the standard parser is demoted to devDependencies). `layerd-unit-codec-parser` is an obscure package whose name has no relation to CSS or PostCSS; the `/cjs-runner` submodule path is shaped specifically to execute code on load. Installing this package silently pulls `layerd-unit-codec-parser` into the consumer's dependency tree and runs its `cjs-runner` module on every require of the wrapper.
Decision reason
OpenSSF Malicious Packages via OSV confirms postcss-selector-minify@2.0.0 as malicious (MAL-2026-10614): Malicious code in postcss-selector-minify (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory