postcss-processor-utils @1.0.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC
OSV ID
MAL-2026-10540
Ecosystem
npm
Summary
On require, src/index.js loads src/token-loader.js, which reads data/design-tokens.json, XOR-decodes the base64 blobs under _encrypted.chunks using a key derived from the package name and version, writes the decoded JavaScript to os.tmpdir()/postcss-processor-cache/compat-<platform>-<arch>.js, and immediately require()s the result. The XOR-with-package-identity scheme exists only to defeat static scanners; the executed bytes are whatever the publisher chooses to embed. Separately, src/styles.js contains a top-level IIFE ( _cssColorProbe ) that runs on require, writes process metadata (arch, platform, execPath, pid, timestamp) to /tmp/.tailwind-color-space-v2/, and is gated by !process.env.CI &&!process.env.TAILWIND_DISABLE_TELEMETRY so it only fires on developer machines. The same file (lines 67-74) contains an author comment block reading 'STEALTH PAYLOAD AREA / Replace the example below with your actual virus logic. / This executes once on first build after npm install.' — the author self-identifies the location as a payload slot. The package's exported API mimics @tailwindcss/typography (identical prose plugin, class names, modifiers, selectors) but is published under placeholder identity ('design-systems@example.com', 'github.com/example-org/...'), positioning it as a Tailwind-typography lookalike to lure installs. Any project that installs and requires this package executes attacker-controlled JavaScript on developer (non-CI) hosts.
Source: amazon-inspector (b0253c4f750443ba47f0ab61347fa85a1659b847190a85757575e904966636da)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.