VDB
KO

MAL-2026-10432

Malicious code in animated-css-kit (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2156080aac79f8a251ee10f328ba8df515372cd8db293d45655ff32d54f61257) The package presents itself as a PostCSS plugin for animate.css, but its main export (src/plugin.js `createPlugin`) synchronously triggers src/side-effects.js, which is heavily obfuscated (obfuscator.io string-array with RC4 decoding, anti-debug via Function.prototype.toString inspection, console-method hijacking) while the rest of the src/*.js tree is plain unobfuscated PostCSS code. The obfuscated module fetches a remote JSON payload, base64-decodes its `message` field, and executes it via `new Function('require', m)(require)`, handing the caller's `require` to attacker-supplied code with retry-up-to-10-times logic. This fires when a consumer imports the package and instantiates the exported plugin (the documented usage in a build pipeline), giving the attacker arbitrary code execution on the installer/build machine with full access to the surrounding Node.js environment. The clean plugin surface + targeted obfuscation of only the network-and-eval module + evocative name mimicking the animate.css ecosystem are consistent with a supply-chain attack using a cover-story package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / animated-css-kit

No fixed version published yet for animated-css-kit (npm). Pin to a known-safe version or switch to an alternative.

References