npm

postcss-animatecss @1.0.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC

Malicious

OSV ID

MAL-2026-10539

Ecosystem

npm

Summary

The exported PostCSS plugin factory in postcss-animatecss@1.0.2 contains an obfuscator.io-obfuscated payload that executes on every consumer build. When the plugin runs, it fetches a remote endpoint (URL built from an RC4/base64 string array hidden inside the module), reads a message field from the JSON response, base64-decodes it, and executes the result via new Function('require', m)(require) — giving the remote operator arbitrary Node.js code execution with full require access on the developer or CI host. A setInterval(fn, 4000) installed via a new Function('return this')() global reference re-invokes the fetch-and-eval loop every 4 seconds for the lifetime of the process, providing persistent adaptable C2. The outbound request also appends Object.keys(options.features?...) to the query string, leaking consumer plugin configuration to the endpoint. The package's declared purpose (adding -webkit- animate.css prefixes) requires no network I/O whatsoever; the fetch/eval/interval layer plus obfuscator.io string-array concealment is the classic supply-chain backdoor signature.

Source: amazon-inspector (adfcae16a606f0b7eccb6cd94c1d1d0b583b19021bb15d04161f3ca8855aba61)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.