MAL-2026-5837

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1bc7341d6762a6209e4bde3d99f31f1a8650b6971e64a19547b9f35e7a51abb3) Package is published as `postcss-minify-selector` (singular) but its internal postcss plugin identifier is `postcss-minify-selectors` (plural) — the canonical name of the legitimate cssnano plugin. The published name is a one-character deletion from that target. The first executable line of `src/index.js` is a side-effect-only `require('postcss-minify-selector-parser/cjs-runner')` whose return value is discarded and which is not referenced anywhere else in the file; the plugin's actual selector-parsing functionality uses a different subpath, `require('postcss-minify-selector-parser/selector-parser')`, imported separately at line 6. The sibling dependency `postcss-minify-selector-parser` (declared as `^2.0.2` in package.json) is itself a typosquat-shaped name of the well-known `postcss-selector-parser`. The combination — typosquat lure name, plural-vs-singular mismatch with the real cssnano plugin, declared dependency on a second typosquat-shaped package, and an unconditional side-effect require of an otherwise-unused subpath of that dependency at the top of the main entry — is the canonical lure-plus-dropper shape: any consumer that `require()`s this package will silently load and execute whatever the `cjs-runner` module body of the sibling typosquat does at require time.