MAL-2026-4449

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/oxide-win32-x64-msvc/MAL-2026-4449.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4449

Withdrawn

2026-05-26T20:46:07Z

Published

2026-05-20T03:22:12Z

Modified

2026-05-27T00:32:05.801215904Z

Summary

Malicious code in @tailwind-core/oxide-win32-x64-msvc (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d93cb69a6f12f5739ab03d78641f2a79179750b6182f65ba5b8fb8ec4a1399bc)

The package name @tailwind-core/oxide-win32-x64-msvc impersonates the legitimate Tailwind CSS scope @tailwindcss (published by tailwindlabs). The README claims this is the win32-x64-msvc binary for Tailwind v4's Rust engine @tailwindcss/oxide, but the source repository is github.com/QaLemos/tailwind-core, which has no association with Tailwind Labs. The package's main entry is a 3.1 MB compiled .node native addon with no accompanying JavaScript wrapper or source, so its behavior cannot be audited. Because consumers typically receive this package as an optional/platform dependency of the parent @tailwind-core/oxide package, a require() resolves directly to the opaque native binary and executes arbitrary native code in the consumer's Node.js process at load time. The combination of scope-level typosquat against a top-tier package, publisher mismatch, and an unverifiable native payload as the sole artifact matches a namespace-abuse-with-native-payload shape.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "d93cb69a6f12f5739ab03d78641f2a79179750b6182f65ba5b8fb8ec4a1399bc",
            "id": "IN-MAL-2026-003446",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T03:22:12Z",
            "versions": [
                "4.3.0"
            ],
            "import_time": "2026-05-26T05:50:39.540018577Z"
        }
    ]
}

References

https://www.npmjs.com/package/@tailwind-core/oxide-win32-x64-msvc/v/4.3.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @tailwind-core/oxide-win32-x64-msvc

Package

Name: @tailwind-core/oxide-win32-x64-msvc; View open source insights on deps.dev
Purl: pkg:npm/%40tailwind-core%2Foxide-win32-x64-msvc

Affected ranges

Affected versions

4.*

4.3.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/oxide-win32-x64-msvc/MAL-2026-4449.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "4cf05923c2365d330adc5e8048ea32c296b3580744887d497bcbc99c0faca17727c1ee",
            "sha256": "4d2106fcfb2e8034927fd2b674ab3ff3c6cc595dbca31f84f14e4ede07bfddcd",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "oxide-win32-x64-msvc-4.3.0.tgz",
            "hashes": {
                "sha1": "4d63d8490181cddcff7a16dedb093bc527b20dd6",
                "sha512_sri": "sha512-7sBVFy0nMCmgsdjX3DJxlbhJf6qepzLofPNvgAyRYePCzvcTVaYTSPeig6bkr366Ji2aqSH8flflcCob1JcqzA=="
            }
        }
    ]
}