-= Per source details. Do not edit below this line.=-
The package presents itself as a Tailwind CSS animation plugin and reproduces the legitimate tailwindcss-animate source (including its original author metadata) verbatim in index.js. A long whitespace run at the end of the file visually hides an appended obfuscated loader. On require(), the loader permutation-decodes a string to recover the identifiers 'require', 'module', '__dirname', '__filename', and 'undefined', re-installs them on the global object, then resolves the Function constructor indirectly via a String prototype method whose name is produced by string permutation ('constructor'). It then uses Function() to compile and immediately invoke a large opaque decoded payload (uwg(4261)). This is dynamic execution of an obfuscated blob at library-load time, delivered under a name that mimics the widely used tailwindcss-animate package. Any project that adds this dependency and requires it will execute the hidden payload in the developer/build process, with full access to environment variables, filesystem, and network.
{
"malicious-packages-origins": [
{
"sha256": "90507eebce1061b352492fe3e6bb9673a9b4072c5b35381df73d86b52a342889",
"id": "IN-MAL-2026-009102",
"import_time": "2026-07-09T16:20:40.805709628Z",
"modified_time": "2026-07-09T15:28:38Z",
"versions": [
"2.1.1"
],
"source": "amazon-inspector"
},
{
"versions": [
"2.1.0"
],
"id": "IN-MAL-2026-009347",
"modified_time": "2026-07-09T16:59:10Z",
"sha256": "e0607a23b0fe8f0cfcaff40e021d2b66893dc14b9389c4fa498bd9f21c2987ab",
"import_time": "2026-07-09T17:19:27.254988102Z",
"source": "amazon-inspector"
},
{
"sha256": "f84f64cb815db4292d41676cee2df5e9e5ca2953ed29f3bd2288e83d7c3779dc",
"id": "IN-MAL-2026-009349",
"import_time": "2026-07-09T17:19:27.5007761Z",
"modified_time": "2026-07-09T16:59:24Z",
"versions": [
"1.1.0"
],
"source": "amazon-inspector"
},
{
"sha256": "fd43366b04ea80c2244079c09602623af157ce00cba9ae1837005b97ffe44bdb",
"id": "IN-MAL-2026-009590",
"import_time": "2026-07-09T23:30:55.722775498Z",
"modified_time": "2026-07-09T22:58:27Z",
"versions": [
"2.1.2"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "1e0284e6eb1f18174e1742971b7d05c64e7e08b0b83909feb57d109607c697c87ba3a4",
"sha256": "fcdbb2a38e3ff2c9f9e5edab932249b19bfeaaef08dadab01e16a6eb4adf2821",
"path": "index.js"
},
{
"sha256": "2ac2c0bb89b69c4c0086d303552702d2cffb0beb7efcd095c9585dbbfab013f8",
"tlsh": "250190078a265d3313c15fac96eeadc718df5053410696c73ca4b0b8c1c8159936f597",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "tailwind-animate-v4-2.1.1.tgz",
"hashes": {
"sha512_sri": "sha512-u6ehTD1lsVg1XsEIMyRTiDzORc78vtr8wgAJEDpswRiZXSgxAvCqMZoyYmB4HK4i4I38flUmC71mh1LnarMtFg==",
"sha1": "ca8814be99c45753f6ce9fee7640b0135cf5d4d1"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-animate-v4/MAL-2026-10073.json"