OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5629 confirms this npm version as malicious. The package name `sass-formats` is one character-edit away from the popular `sass-formatter` package and reuses its original author field (`"author": "Syler"` in package.json), while dist/cli.js carries a header indicating it was modified by a different maintainer (`// Modified by https://github.com/maarutan... Marat Arzymatov 2025`). The tarball ships dist/lib/lib.min.js, a heavily obfuscated 4 KB file that...
Advisory
MAL-2026-5629
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in sass-formats (npm)
Details
The package name `sass-formats` is one character-edit away from the popular `sass-formatter` package and reuses its original author field (`"author": "Syler"` in package.json), while dist/cli.js carries a header indicating it was modified by a different maintainer (`// Modified by https://github.com/maarutan... Marat Arzymatov 2025`). The tarball ships dist/lib/lib.min.js, a heavily obfuscated 4 KB file that smuggles handles to `require` and `module` onto the global object (`global['r']=require; global['m']=module`), tags itself with a payload-version marker (`global['_V']='A6-519-79'`), and derives the string `constructor` from a shuffled character array to invoke `Function(args, body)` on a second shuffled string — the canonical string-array-shuffle / dynamic-Function execution shape used by npm credential and dropper malware. Although no entrypoint in v1.0.4 currently loads dist/lib/lib.min.js, shipping a hidden Function-constructor payload with smuggled require/module references in a package that purports to be a Sass formatter has no legitimate engineering purpose, and the combination of name-edit typosquat against `sass-formatter` plus impersonated author identity plus a staged dynamic-execution payload matches the supply-chain attack pattern.
## Source: ghsa-malware (593849a1308008d25bbda542cd5504e43cae6241d7ebe1c44b08377e2afe13d5) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms sass-formats@1.0.2 as malicious (MAL-2026-5629): Malicious code in sass-formats (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory