MAL-2026-10539
Malicious code in postcss-animatecss (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (adfcae16a606f0b7eccb6cd94c1d1d0b583b19021bb15d04161f3ca8855aba61) The exported PostCSS plugin factory in postcss-animatecss@1.0.2 contains an obfuscator.io-obfuscated payload that executes on every consumer build. When the plugin runs, it fetches a remote endpoint (URL built from an RC4/base64 string array hidden inside the module), reads a `message` field from the JSON response, base64-decodes it, and executes the result via `new Function('require', m)(require)` — giving the remote operator arbitrary Node.js code execution with full `require` access on the developer or CI host. A `setInterval(fn, 4000)` installed via a `new Function('return this')()` global reference re-invokes the fetch-and-eval loop every 4 seconds for the lifetime of the process, providing persistent adaptable C2. The outbound request also appends `Object.keys(options.features?...)` to the query string, leaking consumer plugin configuration to the endpoint. The package's declared purpose (adding `-webkit-` animate.css prefixes) requires no network I/O whatsoever; the fetch/eval/interval layer plus obfuscator.io string-array concealment is the classic supply-chain backdoor signature.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for postcss-animatecss (npm). Pin to a known-safe version or switch to an alternative.