-= Per source details. Do not edit below this line.=-
The package publishes under the name of the legitimate better-tailwindcss project but its package.json declares both a runtime and dev dependency on better-tailwindcss resolved from http://pack.nppacks.com/npm/better-tailwindcss — a plain-HTTP, non-registry host with no integrity hash and no TLS. On npm install, npm fetches and installs that arbitrary, mutable tarball, and any install/postinstall scripts inside it execute on the installer's machine. The shipped code itself is a Babel plugin clone unrelated to the real better-tailwindcss project (a tailwind ESLint plugin) and carries a self-label describing the package as being for 'Security Research Testing Purpose,' confirming it is a namespace squat used as a delivery vehicle for code hosted at pack.nppacks.com.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010391",
"versions": [
"4.6.3"
],
"modified_time": "2026-07-14T04:35:12Z",
"source": "amazon-inspector",
"sha256": "302c3b7766a431cefe81d41434fd4c5aae74aacec230488bd004eca18cbe8dff",
"import_time": "2026-07-14T05:49:18.918263394Z"
}
]
}[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "better-tailwindcss-4.6.3.tgz",
"hashes": {
"sha512_sri": "sha512-Ww+jHuid3pRK8Zc7llnM0B0GW5EfHzlCECXuzQ5xQtc9wRW8SdN86GsrUhV82FoGxD3OKBWSwTC+utp4XpyuHA==",
"sha1": "b6d5a6ef90307a21a69efa16afad9b6d14fa537a"
}
}
],
"evidence_files": [
{
"path": "package.json",
"sha256": "9f7cc1544cc6cec136b6a262c58848b24e4604f402911eff0552f86f1f42c789",
"tlsh": "baf04c56ce22ae7344d631502f665006f25159472c19fe0832cf672e4a8e0ef71f415e"
},
{
"path": "index.js",
"sha256": "f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41",
"tlsh": "71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/better-tailwindcss/MAL-2026-10550.json"