Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in postcss-processor-utils (npm)

postcss-processor-utils

Risk score

92

AI summary

Indexed incident for postcss-processor-utils (npm).

Description

On require, src/index.js loads src/token-loader.js, which reads data/design-tokens.json, XOR-decodes the base64 blobs under _encrypted.chunks using a key derived from the package name and version, writes the decoded JavaScript to os.tmpdir()/postcss-processor-cache/compat--.js, and immediately require()s the result. The XOR-with-package-identity scheme exists only to defeat static scanners; the executed bytes are whatever the publisher chooses to embed. Separately, src/styles.js contains a top-level IIFE (_cssColorProbe) that runs on require, writes process metadata (arch, platform, execPath, pid, timestamp) to /tmp/.tailwind-color-space-v2/, and is gated by !process.env.CI &&!process.env.TAILWIND_DISABLE_TELEMETRY so it only fires on developer machines. The same file (lines 67-74) contains an author comment block reading 'STEALTH PAYLOAD AREA / Replace the example below with your actual virus logic. / This executes once on first build after npm install.' — the author self-identifies the location as a payload slot. The package's exported API mimics @tailwindcss/typography (identical prose plugin, class names, modifiers, selectors) but is published under placeholder identity ('design-systems@example.com', 'github.com/example-org/...'), positioning it as a Tailwind-typography lookalike to lure installs. Any project that installs and requires this package executes attacker-controlled JavaScript on developer (non-CI) hosts.

Technical details

Affected versions

=1.0.2

Indicators

  • affected version=1.0.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents