Hi,
looks like host have some vulnerability that allows to write css file into your folder.
Try to delete it (or even better replace vendor directory with our from release) and set permissions for "vendor" to 555 recursively. (only for read and execute)
Also check file .htaccess inside vendor dir.
It must contains
Order Deny,Allow
Deny from all
(No one file cannot be accessible from web)
Please, let us know about results