Which versions of postcss-minify-selector are malicious?

The following npm versions of postcss-minify-selector are flagged malicious: 0.1.2, 0.1.3, 2.0.1, 2.0.2. Treat any of these as compromised.

How do I remediate postcss-minify-selector if I installed it?

Remove postcss-minify-selector from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is postcss-minify-selector part of a known attack campaign?

Yes — postcss-minify-selector is associated with the IN-MAL-2026-006705, IN-MAL-2026-006706, IN-MAL-2026-006707, IN-MAL-2026-006708 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect postcss-minify-selector in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking postcss-minify-selector and packages like it before any post-install script runs.

Malicious package

postcss-minify-selectornpm

Malicious code in postcss-minify-selector (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5837

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall postcss-minify-selector

What this malware does

Package is published as postcss-minify-selector (singular) but its internal postcss plugin identifier is postcss-minify-selectors (plural) — the canonical name of the legitimate cssnano plugin. The published name is a one-character deletion from that target. The first executable line of src/index.js is a side-effect-only require('postcss-minify-selector-parser/cjs-runner') whose return value is discarded and which is not referenced anywhere else in the file; the plugin's actual selector-parsing functionality uses a different subpath, require('postcss-minify-selector-parser/selector-parser'), imported separately at line 6. The sibling dependency postcss-minify-selector-parser (declared as ^2.0.2 in package.json) is itself a typosquat-shaped name of the well-known postcss-selector-parser. The combination — typosquat lure name, plural-vs-singular mismatch with the real cssnano plugin, declared dependency on a second typosquat-shaped package, and an unconditional side-effect require of an otherwise-unused subpath of that dependency at the top of the main entry — is the canonical lure-plus-dropper shape: any consumer that require()s this package will silently load and execute whatever the cjs-runner module body of the sibling typosquat does at require time.

Malicious versions

4 flagged

0.1.20.1.32.0.12.0.2

Indicators of compromise (SHA-256)

1bc7341d6762a6209e4bde3d99f31f1a8650b6971e64a19547b9f35e7a51abb3

7a12e5b695f34acfd56492479c547e8ce5af1f5916bd100466e392282620d6e3

86f41c204dc9ab99c0389073b9026546d7553724d95f4c496ec81227f18c0f36

b13a4d7bb597dfb50336a460d0c064430fc60f900a1f61e2c3450996bd6f67ce

Frequently asked questions

No. postcss-minify-selector on npm has been identified as a malicious package (versions 0.1.2, 0.1.3, 2.0.1, 2.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006705IN-MAL-2026-006706IN-MAL-2026-006707IN-MAL-2026-006708

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection