OSV-MAL-2026-5629

Malicious code in sass-formats (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (5ccda832d10cb642350129278ae1fc341d3be8b8302ddbf9bdcfc15eeeb6eae8) The package name `sass-formats` is one character-edit away from the popular `sass-formatter` package and reuses its original author field (`"author": "Syler"` in package.json), while dist/cli.js carries a header indicating it was modified by a different maintainer (`// Modified by https://github.com/maarutan... Marat Arzymatov 2025`). The tarball ships dist/lib/lib.min.js, a heavily obfuscated 4 KB file that smuggles handles to `require` and `module` onto the global object (`global['r']=require; global['m']=module`), tags itself with a payload-version marker (`global['_V']='A6-519-79'`), and derives the string `constructor` from a shuffled character array to invoke `Function(args, body)` on a second shuffled string — the canonical string-array-shuffle / dynamic-Function execution shape used by npm credential and dropper malware. Although no entrypoint in v1.0.4 currently loads dist/lib/lib.min.js, shipping a hidden Function-constructor payload with smuggled require/module references in a package that purports to be a Sass formatter has no legitimate engineering purpose, and the combination of name-edit typosquat against `sass-formatter` plus impersonated author identity plus a staged dynamic-execution payload matches the supply-chain attack pattern. ## Source: ghsa-malware (593849a1308008d25bbda542cd5504e43cae6241d7ebe1c44b08377e2afe13d5) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.