VDB
EN

MAL-2026-10614

Malicious code in postcss-selector-minify (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (92fec62079856815ded46ba283769d3d3e0d20e08b6196b8698e08e2df6677ee) Package is published as `postcss-selector-minify` (a word-order permutation of cssnano's widely used `postcss-minify-selectors`) and registers itself to PostCSS under the legitimate plugin's id `postcss-minify-selectors`, so consumers who mistype or misremember the cssnano plugin name receive a different publisher's package that self-identifies as the real one. On `require()`, the main entry performs a bare side-effect import of `layerd-unit-codec-parser/cjs-runner` (return value discarded) before any other work, and replaces the de-facto-standard `postcss-selector-parser` with `layerd-unit-codec-parser/selector-parser` (the standard parser is demoted to devDependencies). `layerd-unit-codec-parser` is an obscure package whose name has no relation to CSS or PostCSS; the `/cjs-runner` submodule path is shaped specifically to execute code on load. Installing this package silently pulls `layerd-unit-codec-parser` into the consumer's dependency tree and runs its `cjs-runner` module on every require of the wrapper.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / postcss-selector-minify

No fixed version published yet for postcss-selector-minify (npm). Pin to a known-safe version or switch to an alternative.

참고