animatecss-postcss-plugin @1.0.1
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:48 PM UTC
OSV ID
MAL-2026-6495
Ecosystem
npm
Summary
animatecss-postcss-plugin@1.0.1 ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder (functions _0xa311, _0x4399, _0x12b0 with a ~120-entry encoded string table). When the exported plugin factory is invoked during a CSS build, it constructs a URL from the decoded string array, performs an HTTP fetch with a 60s AbortController and a retry loop (attempts 1..10), base64-decodes the response body's message field via Buffer.from(k, 'base64').toString('utf-8'), and executes the resulting JavaScript via new Function('require', _)(require) — giving the remote payload full Node require access inside the developer's build process. There is no legitimate reason for a PostCSS prefix-injection plugin to fetch and eval remote code, and the heavy obfuscation around the fetch destination and payload-handling logic confirms intent to hide the behavior from casual review. Any project that installs this plugin and runs its CSS build will execute attacker-controlled JavaScript with the privileges of the build process.
Source: amazon-inspector (6be12cec08d0999c157774b746c3e431825ae61635bb8ddddf36061d4602cec7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.