MAL-2026-10687: Malicious code in selparsecss-selector (npm)
The selparsecss-selector npm package versions 1.0.0, 1.1.0, 2.0.0, and 2.1.0 is a malicious fork impersonating the legitimate postcss-selector-parser package. It includes obfuscated code that executes child_process commands, which are unnecessary for a CSS selector parser, indicating malicious intent. The package uses bytenode to load opaque bytecode files, further hiding its malicious payload. This supply-chain attack targets developers intending to use the legitimate postcss-selector-parser package.
AI Analysis
Technical Summary
[email protected], 1.1.0, 2.0.0, and 2.1.0 is a name-confusion fork of the legitimate postcss-selector-parser npm package. It impersonates the original author and copies the source and license verbatim but includes a large obfuscated bundle that executes shell commands via child_process, which is unnecessary for its stated functionality. The package also uses bytenode to load obfuscated V8 bytecode files, making inspection difficult. This combination of impersonation, obfuscation, and execution of shell commands constitutes a supply-chain attack targeting developers who intended to install the legitimate package.
Potential Impact
The malicious package can execute arbitrary shell commands on the developer's system due to the use of child_process exec and execSync calls. This can lead to compromise of the development environment, potential data theft, or further malware installation. The obfuscation and use of bytenode bytecode loading hinder detection and analysis, increasing the risk of unnoticed compromise.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing selparsecss-selector versions 1.0.0, 1.1.0, 2.0.0, and 2.1.0. Instead, they should verify the authenticity of packages before installation, prefer the legitimate postcss-selector-parser package, and audit dependencies for suspicious or impersonated packages. Monitor package sources and use tools that detect malicious npm packages. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.
MAL-2026-10687: Malicious code in selparsecss-selector (npm)
Description
The selparsecss-selector npm package versions 1.0.0, 1.1.0, 2.0.0, and 2.1.0 is a malicious fork impersonating the legitimate postcss-selector-parser package. It includes obfuscated code that executes child_process commands, which are unnecessary for a CSS selector parser, indicating malicious intent. The package uses bytenode to load opaque bytecode files, further hiding its malicious payload. This supply-chain attack targets developers intending to use the legitimate postcss-selector-parser package.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
[email protected], 1.1.0, 2.0.0, and 2.1.0 is a name-confusion fork of the legitimate postcss-selector-parser npm package. It impersonates the original author and copies the source and license verbatim but includes a large obfuscated bundle that executes shell commands via child_process, which is unnecessary for its stated functionality. The package also uses bytenode to load obfuscated V8 bytecode files, making inspection difficult. This combination of impersonation, obfuscation, and execution of shell commands constitutes a supply-chain attack targeting developers who intended to install the legitimate package.
Potential Impact
The malicious package can execute arbitrary shell commands on the developer's system due to the use of child_process exec and execSync calls. This can lead to compromise of the development environment, potential data theft, or further malware installation. The obfuscation and use of bytenode bytecode loading hinder detection and analysis, increasing the risk of unnoticed compromise.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing selparsecss-selector versions 1.0.0, 1.1.0, 2.0.0, and 2.1.0. Instead, they should verify the authenticity of packages before installation, prefer the legitimate postcss-selector-parser package, and audit dependencies for suspicious or impersonated packages. Monitor package sources and use tools that detect malicious npm packages. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10687
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a58b44b68715ace43d6b522
Added to database: 07/16/2026, 10:36:59 UTC
Last enriched: 07/16/2026, 11:25:05 UTC
Last updated: 07/17/2026, 03:38:29 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.