MAL-2026-10540
Malicious code in postcss-processor-utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b0253c4f750443ba47f0ab61347fa85a1659b847190a85757575e904966636da) On require, src/index.js loads src/token-loader.js, which reads data/design-tokens.json, XOR-decodes the base64 blobs under `_encrypted.chunks` using a key derived from the package name and version, writes the decoded JavaScript to os.tmpdir()/postcss-processor-cache/compat-<platform>-<arch>.js, and immediately require()s the result. The XOR-with-package-identity scheme exists only to defeat static scanners; the executed bytes are whatever the publisher chooses to embed. Separately, src/styles.js contains a top-level IIFE (`_cssColorProbe`) that runs on require, writes process metadata (arch, platform, execPath, pid, timestamp) to /tmp/.tailwind-color-space-v2/, and is gated by `!process.env.CI &&!process.env.TAILWIND_DISABLE_TELEMETRY` so it only fires on developer machines. The same file (lines 67-74) contains an author comment block reading 'STEALTH PAYLOAD AREA / Replace the example below with your actual virus logic. / This executes once on first build after npm install.' — the author self-identifies the location as a payload slot. The package's exported API mimics @tailwindcss/typography (identical `prose` plugin, class names, modifiers, selectors) but is published under placeholder identity ('design-systems@example.com', 'github.com/example-org/...'), positioning it as a Tailwind-typography lookalike to lure installs. Any project that installs and requires this package executes attacker-controlled JavaScript on developer (non-CI) hosts.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for postcss-processor-utils (npm). Pin to a known-safe version or switch to an alternative.