postcss-selector-minify @2.0.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10614
Ecosystem
npm
Summary
Package is published as postcss-selector-minify (a word-order permutation of cssnano's widely used postcss-minify-selectors ) and registers itself to PostCSS under the legitimate plugin's id postcss-minify-selectors , so consumers who mistype or misremember the cssnano plugin name receive a different publisher's package that self-identifies as the real one. On require() , the main entry performs a bare side-effect import of layerd-unit-codec-parser/cjs-runner (return value discarded) before any other work, and replaces the de-facto-standard postcss-selector-parser with layerd-unit-codec-parser/selector-parser (the standard parser is demoted to devDependencies). layerd-unit-codec-parser is an obscure package whose name has no relation to CSS or PostCSS; the /cjs-runner submodule path is shaped specifically to execute code on load. Installing this package silently pulls layerd-unit-codec-parser into the consumer's dependency tree and runs its cjs-runner module on every require of the wrapper.
Source: amazon-inspector (92fec62079856815ded46ba283769d3d3e0d20e08b6196b8698e08e2df6677ee)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.