MAL-2026-6578

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e27d4511e4a3f335712736eebef6cf8e55e3f1bccbb13ded2fcef675622e58e1) Package is published as `layerd-unit-codec-parser` but its README, install instructions, and example imports present it as `postcss-minify-selector-parser`, a name resembling the legitimate `postcss-selector-parser`. To complete the impersonation, `src/selector-parser.js` re-exports the real `postcss-selector-parser` and `src/index.js` spreads its API onto the package's own exports. Alongside this benign-looking surface, `src/config/defaults.js` ships a multi-KB AES-GCM ciphertext (`DEFAULT_FINAL_ENCODED_TEXT`) together with the passphrase (`DEFAULT_AES_PASSPHRASE='default-dev-passphrase'`) and salt (`DEFAULT_AES_SALT='encode-npm-c-salt'`) needed to decrypt it. The exported `run` / `runDefaultDecodedFunction` / `finalFinalDecodeAndRun` code path (reachable via `npm start`, `npm run decode`, `node cjs-runner.js`, or any consumer calling `.run()` on the main export) decrypts that blob and executes the resulting string with `new Function('require', runnable)(require)`. Shipping both the ciphertext and its decryption key makes the AES layer pure obfuscation over executable JavaScript that the package then evaluates — functionally equivalent to base64-decode-and-eval of an opaque payload, with full access to `require` in the installer's environment.