Supply-chain threat intelligence
Risk score
92
Indexed incident for animatecss-postcss-plugin (npm).
animatecss-postcss-plugin@1.0.1 ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder (functions _0xa311, _0x4399, _0x12b0 with a ~120-entry encoded string table). When the exported plugin factory is invoked during a CSS build, it constructs a URL from the decoded string array, performs an HTTP fetch with a 60s AbortController and a retry loop (attempts 1..10), base64-decodes the response body's message field via Buffer.from(k, 'base64').toString('utf-8'), and executes the resulting JavaScript via new Function('require', _)(require) — giving the remote payload full Node require access inside the developer's build process. There is no legitimate reason for a PostCSS prefix-injection plugin to fetch and eval remote code, and the heavy obfuscation around the fetch destination and payload-handling logic confirms intent to hide the behavior from casual review. Any project that installs this plugin and runs its CSS build will execute attacker-controlled JavaScript with the privileges of the build process.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Affected versions
Indicators
Timeline