animated-css-kit @1.0.1
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10432
Ecosystem
npm
Summary
The package presents itself as a PostCSS plugin for animate.css, but its main export (src/plugin.js createPlugin ) synchronously triggers src/side-effects.js, which is heavily obfuscated (obfuscator.io string-array with RC4 decoding, anti-debug via Function.prototype.toString inspection, console-method hijacking) while the rest of the src/*.js tree is plain unobfuscated PostCSS code. The obfuscated module fetches a remote JSON payload, base64-decodes its message field, and executes it via new Function('require', m)(require) , handing the caller's require to attacker-supplied code with retry-up-to-10-times logic. This fires when a consumer imports the package and instantiates the exported plugin (the documented usage in a build pipeline), giving the attacker arbitrary code execution on the installer/build machine with full access to the surrounding Node.js environment. The clean plugin surface + targeted obfuscation of only the network-and-eval module + evocative name mimicking the animate.css ecosystem are consistent with a supply-chain attack using a cover-story package.
Source: amazon-inspector (2156080aac79f8a251ee10f328ba8df515372cd8db293d45655ff32d54f61257)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.