MAL-2026-3776

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/typography-stylecss/MAL-2026-3776.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3776

Published

2026-05-14T19:25:18Z

Modified

2026-05-15T07:51:42.071501Z

Summary

Malicious code in typography-stylecss (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4eeb50f69746fd21696baaa7d3534bbd22489edb037742ca591d49ca88981f70)

The package impersonates the legitimate @tailwindcss/typography plugin: README, src/index.js, src/utils.js, and src/styles.js are copied verbatim from the Tailwind Labs plugin, and peerDependencies lists tailwindcss to reinforce the masquerade, but the package is published under the unrelated name typography-stylecss. Appended to src/index.js after the legitimate module.exports = plugin.withOptions(...) is an obfuscator.io-style payload (hex-named identifiers _0x168f6b, _0x3fc27f, etc., with a rotated string table _0x5975). Decoded string-table fragments include platform branching ('win32', 'windows', 'agent-linux-') and a URL path template /agents/<deploymentHash> built against a base URL read from a __SSTAR_API_BASE global, consistent with downloading a platform-specific agent binary and executing it. Because this code sits at module top level, it fires on require('typography-stylecss') / import 'typography-stylecss' — exactly the usage the cloned README instructs developers to add to their tailwind.config.js. Any build or dev server that loads the Tailwind config will trigger the dropper, which fetches and runs an attacker-controlled native binary on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-14T19:25:18Z",
            "versions": [
                "0.7.4"
            ],
            "sha256": "4eeb50f69746fd21696baaa7d3534bbd22489edb037742ca591d49ca88981f70",
            "id": "IN-MAL-2026-002713",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:17.770978187Z"
        }
    ]
}

References

https://www.npmjs.com/package/typography-stylecss/v/0.7.4

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / typography-stylecss

Package

Name: typography-stylecss; View open source insights on deps.dev
Purl: pkg:npm/typography-stylecss

Affected ranges

Affected versions

0.*

0.7.4

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "227b58b46968b0f0771baf98a224bfcc400f77ed127d714237f6450f58771062",
            "tlsh": "cc827354b6c6b080138b9b77221fb0e9e12e06cb794c1857f15c78d0bf78619d6eae78",
            "path": "src/index.js"
        },
        {
            "sha256": "a37c94468ea42b0b0a7fb46bd6c689268190093975372c6982e371ac118c56e1",
            "tlsh": "fb31df10dd148eb341d5686a99381517a962c4539a68fc0c33c6478c4f0e2bfa0fe5ee",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-tiNS5Yl8VmA6Wege03VgUvcFKFce6rvsxUPd9Zp3Y/A9r0PcHTOXiUTKCOvHv7IuMVs4F1kZgK1QfrUxGRSYwA==",
                "sha1": "36f545aa6e3a8aa2f6b12cf22419049fc3fe89c1"
            },
            "filename": "typography-stylecss-0.7.4.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/typography-stylecss/MAL-2026-3776.json"