MAL-2026-4448

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/oxide-linux-x64-gnu/MAL-2026-4448.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4448

Withdrawn

2026-05-26T20:46:07Z

Published

2026-05-20T19:31:05Z

Modified

2026-05-27T00:32:05.749223658Z

Summary

Malicious code in @tailwind-core/oxide-linux-x64-gnu (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a107a0746f2f5159d661e4d332eac53f871b9d22f80caf5863bdd713e252ae00)

The package name '@tailwind-core/oxide-linux-x64-gnu' impersonates the legitimate Tailwind CSS v4 oxide engine package '@tailwindcss/oxide-linux-x64-gnu' published under the tailwindlabs scope. Version 4.3.0 mirrors Tailwind's release line, increasing the chance of accidental adoption via typo or dependency-confusion. The repository URL in package.json points to 'github.com/QaLemos/tailwind-core.git', a personal account with no relationship to the tailwindlabs publisher. The package ships a single 2.9 MB native binary 'tailwind-core-oxide.linux-x64-gnu.node' declared as main; on require(), Node loads the native module via napiregistermodule_v1 and executes attacker-controlled code. No source is shipped, so the binary's behavior cannot be inspected. The combination of an exact-scope-rename of a top-tier package, version-line mirroring, publisher mismatch, and an opaque native payload that executes on require is the typosquat-with-payload shape: name confusion supplies the distribution, and the unverifiable native binary supplies the import-time execution surface.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003602",
            "versions": [
                "4.3.0"
            ],
            "sha256": "49cf27628927e98f949219168f4167d2551353200e78ff52f02e2ef57b0211f4",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T19:31:05Z",
            "import_time": "2026-05-26T05:50:56.657988496Z"
        },
        {
            "id": "IN-MAL-2026-003601",
            "import_time": "2026-05-26T05:50:56.54608648Z",
            "sha256": "a107a0746f2f5159d661e4d332eac53f871b9d22f80caf5863bdd713e252ae00",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T19:31:05Z",
            "versions": [
                "4.3.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/@tailwind-core/oxide-linux-x64-gnu/v/4.3.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @tailwind-core/oxide-linux-x64-gnu

Package

Name: @tailwind-core/oxide-linux-x64-gnu; View open source insights on deps.dev
Purl: pkg:npm/%40tailwind-core%2Foxide-linux-x64-gnu

Affected ranges

Affected versions

4.*

4.3.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "1123b4c6b433935531a102dacab6c32c5aa67c2959c74c30a2fec700ee78c4e6",
            "tlsh": "42f08b13e2348d330aec1a508ede02c256b30887c4583c197acb811c0b7c613617c4ea"
        }
    ],
    "package_integrity": [
        {
            "filename": "oxide-linux-x64-gnu-4.3.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-YxOTtvmSHo52tVyVrs0gd19DNmPN44aYuWUqFHejsThoVrnkrPD2YH3+Z0QVwSOcnsU/IAscDdxfiLIFw//+yw==",
                "sha1": "758755806c7718e79af011bfc2d9c65ac84c5be0"
            }
        }
    ],
    "domains": [
        "34.2.16.104.in-addr.arpa"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/oxide-linux-x64-gnu/MAL-2026-4448.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]