MAL-2026-10550

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/better-tailwindcss/MAL-2026-10550.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10550
Published
2026-07-14T04:35:12Z
Modified
2026-07-15T19:05:40.892282684Z
Summary
Malicious code in better-tailwindcss (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (302c3b7766a431cefe81d41434fd4c5aae74aacec230488bd004eca18cbe8dff)

The package publishes under the name of the legitimate better-tailwindcss project but its package.json declares both a runtime and dev dependency on better-tailwindcss resolved from http://pack.nppacks.com/npm/better-tailwindcss — a plain-HTTP, non-registry host with no integrity hash and no TLS. On npm install, npm fetches and installs that arbitrary, mutable tarball, and any install/postinstall scripts inside it execute on the installer's machine. The shipped code itself is a Babel plugin clone unrelated to the real better-tailwindcss project (a tailwind ESLint plugin) and carries a self-label describing the package as being for 'Security Research Testing Purpose,' confirming it is a namespace squat used as a delivery vehicle for code hosted at pack.nppacks.com.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010391",
            "versions": [
                "4.6.3"
            ],
            "modified_time": "2026-07-14T04:35:12Z",
            "source": "amazon-inspector",
            "sha256": "302c3b7766a431cefe81d41434fd4c5aae74aacec230488bd004eca18cbe8dff",
            "import_time": "2026-07-14T05:49:18.918263394Z"
        }
    ]
}
References
Credits

Affected packages

npm / better-tailwindcss

Package

Affected ranges

Affected versions

4.*
4.6.3

Database specific

cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "better-tailwindcss-4.6.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-Ww+jHuid3pRK8Zc7llnM0B0GW5EfHzlCECXuzQ5xQtc9wRW8SdN86GsrUhV82FoGxD3OKBWSwTC+utp4XpyuHA==",
                "sha1": "b6d5a6ef90307a21a69efa16afad9b6d14fa537a"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "9f7cc1544cc6cec136b6a262c58848b24e4604f402911eff0552f86f1f42c789",
            "tlsh": "baf04c56ce22ae7344d631502f665006f25159472c19fe0832cf672e4a8e0ef71f415e"
        },
        {
            "path": "index.js",
            "sha256": "f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41",
            "tlsh": "71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/better-tailwindcss/MAL-2026-10550.json"