MAL-2026-10073

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-animate-v4/MAL-2026-10073.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10073
Published
2026-07-09T15:28:38Z
Modified
2026-07-09T23:47:00.629829215Z
Summary
Malicious code in tailwind-animate-v4 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fd43366b04ea80c2244079c09602623af157ce00cba9ae1837005b97ffe44bdb)

The package presents itself as a Tailwind CSS animation plugin and reproduces the legitimate tailwindcss-animate source (including its original author metadata) verbatim in index.js. A long whitespace run at the end of the file visually hides an appended obfuscated loader. On require(), the loader permutation-decodes a string to recover the identifiers 'require', 'module', '__dirname', '__filename', and 'undefined', re-installs them on the global object, then resolves the Function constructor indirectly via a String prototype method whose name is produced by string permutation ('constructor'). It then uses Function() to compile and immediately invoke a large opaque decoded payload (uwg(4261)). This is dynamic execution of an obfuscated blob at library-load time, delivered under a name that mimics the widely used tailwindcss-animate package. Any project that adds this dependency and requires it will execute the hidden payload in the developer/build process, with full access to environment variables, filesystem, and network.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "90507eebce1061b352492fe3e6bb9673a9b4072c5b35381df73d86b52a342889",
            "id": "IN-MAL-2026-009102",
            "import_time": "2026-07-09T16:20:40.805709628Z",
            "modified_time": "2026-07-09T15:28:38Z",
            "versions": [
                "2.1.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.1.0"
            ],
            "id": "IN-MAL-2026-009347",
            "modified_time": "2026-07-09T16:59:10Z",
            "sha256": "e0607a23b0fe8f0cfcaff40e021d2b66893dc14b9389c4fa498bd9f21c2987ab",
            "import_time": "2026-07-09T17:19:27.254988102Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "f84f64cb815db4292d41676cee2df5e9e5ca2953ed29f3bd2288e83d7c3779dc",
            "id": "IN-MAL-2026-009349",
            "import_time": "2026-07-09T17:19:27.5007761Z",
            "modified_time": "2026-07-09T16:59:24Z",
            "versions": [
                "1.1.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "fd43366b04ea80c2244079c09602623af157ce00cba9ae1837005b97ffe44bdb",
            "id": "IN-MAL-2026-009590",
            "import_time": "2026-07-09T23:30:55.722775498Z",
            "modified_time": "2026-07-09T22:58:27Z",
            "versions": [
                "2.1.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / tailwind-animate-v4

Package

Name
tailwind-animate-v4
View open source insights on deps.dev
Purl
pkg:npm/tailwind-animate-v4

Affected ranges

Affected versions

1.*
1.1.0
2.*
2.1.0
2.1.1
2.1.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "1e0284e6eb1f18174e1742971b7d05c64e7e08b0b83909feb57d109607c697c87ba3a4",
            "sha256": "fcdbb2a38e3ff2c9f9e5edab932249b19bfeaaef08dadab01e16a6eb4adf2821",
            "path": "index.js"
        },
        {
            "sha256": "2ac2c0bb89b69c4c0086d303552702d2cffb0beb7efcd095c9585dbbfab013f8",
            "tlsh": "250190078a265d3313c15fac96eeadc718df5053410696c73ca4b0b8c1c8159936f597",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "tailwind-animate-v4-2.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-u6ehTD1lsVg1XsEIMyRTiDzORc78vtr8wgAJEDpswRiZXSgxAvCqMZoyYmB4HK4i4I38flUmC71mh1LnarMtFg==",
                "sha1": "ca8814be99c45753f6ce9fee7640b0135cf5d4d1"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-animate-v4/MAL-2026-10073.json"