MAL-2026-6495: Malicious code in animatecss-postcss-plugin (npm)
The animatecss-postcss-plugin version 1.0.1 contains malicious code that fetches and executes remote JavaScript during the CSS build process. The plugin uses obfuscated code to hide its behavior, which includes decoding a remote payload and running it with full Node.js require access. This allows attacker-controlled code execution with the privileges of the build environment. There is no legitimate reason for this plugin to perform such actions, indicating intentional malicious behavior.
AI Analysis
Technical Summary
[email protected] includes an obfuscated PostCSS plugin factory that, when invoked, constructs a URL from an encoded string array and performs an HTTP fetch with retries. The response's 'message' field is base64-decoded and executed as JavaScript via a dynamic function call with full Node.js require access. This results in remote code execution within the developer's build process, enabling arbitrary attacker-controlled code execution. The obfuscation and remote code fetching are indicative of deliberate malicious intent.
Potential Impact
Any project that installs and runs animatecss-postcss-plugin version 1.0.1 will execute attacker-controlled JavaScript code with the privileges of the build process. This can lead to compromise of the build environment, potential theft of sensitive information, injection of malicious code into the build artifacts, and further supply chain attacks.
Mitigation Recommendations
No official patch or remediation is currently available for [email protected]. Users should immediately remove this package from their projects and avoid running builds that include it. Consider auditing dependencies for malicious code and replacing this plugin with a trusted alternative. Monitor vendor advisories for updates on remediation.
MAL-2026-6495: Malicious code in animatecss-postcss-plugin (npm)
Description
The animatecss-postcss-plugin version 1.0.1 contains malicious code that fetches and executes remote JavaScript during the CSS build process. The plugin uses obfuscated code to hide its behavior, which includes decoding a remote payload and running it with full Node.js require access. This allows attacker-controlled code execution with the privileges of the build environment. There is no legitimate reason for this plugin to perform such actions, indicating intentional malicious behavior.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
[email protected] includes an obfuscated PostCSS plugin factory that, when invoked, constructs a URL from an encoded string array and performs an HTTP fetch with retries. The response's 'message' field is base64-decoded and executed as JavaScript via a dynamic function call with full Node.js require access. This results in remote code execution within the developer's build process, enabling arbitrary attacker-controlled code execution. The obfuscation and remote code fetching are indicative of deliberate malicious intent.
Potential Impact
Any project that installs and runs animatecss-postcss-plugin version 1.0.1 will execute attacker-controlled JavaScript code with the privileges of the build process. This can lead to compromise of the build environment, potential theft of sensitive information, injection of malicious code into the build artifacts, and further supply chain attacks.
Mitigation Recommendations
No official patch or remediation is currently available for [email protected]. Users should immediately remove this package from their projects and avoid running builds that include it. Consider auditing dependencies for malicious code and replacing this plugin with a trusted alternative. Monitor vendor advisories for updates on remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6495
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7cd27e9c79719001f52
Added to database: 06/26/2026, 22:06:05 UTC
Last enriched: 06/26/2026, 22:36:40 UTC
Last updated: 06/26/2026, 22:36:40 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.