MAL-2026-4450

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/postcss/MAL-2026-4450.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4450
Withdrawn
2026-05-26T20:46:07Z
Published
2026-05-20T00:24:18Z
Modified
2026-05-27T00:32:06.761275461Z
Summary
Malicious code in @tailwind-core/postcss (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1dab944715339b0fabcf954a92fd33faacbb4d878368c36ea5a7d26d72fe2e56)

Package name @tailwind-core/postcss is a one-character-class edit of the official @tailwindcss/postcss (Tailwind CSS v4 PostCSS plugin), published under the unrelated @tailwind-core scope by GitHub user QaLemos with homepage tailwind-core.com. The package's main entry dist/index.js performs require("@tailwind-core/node") and require("@tailwind-core/oxide") — both typosquats of the legitimate @tailwindcss/node and @tailwindcss/oxide siblings — and declares them as version-pinned dependencies (4.3.0), so installing this package silently pulls the attacker-controlled @tailwind-core/* family into the consumer's dependency tree. Whatever code those siblings contain auto-executes when the PostCSS plugin is loaded by a consumer's build. The README compounds the deception by displaying npm/version/downloads/license badges sourced from tailwindlabs/tailwindcss while linking issue/discussion targets back to QaLemos/tailwind-core, presenting metrics of the legitimate project as if they belonged to this fork.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003316",
            "import_time": "2026-05-26T05:50:24.734645318Z",
            "sha256": "1dab944715339b0fabcf954a92fd33faacbb4d878368c36ea5a7d26d72fe2e56",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T00:24:18Z",
            "versions": [
                "4.3.0"
            ]
        },
        {
            "id": "IN-MAL-2026-003317",
            "versions": [
                "4.3.0"
            ],
            "sha256": "b6943d366cdae1c8ce59319a3b566ff1e0b3b17e4641671a5a2bbc83517683ce",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T00:24:18Z",
            "import_time": "2026-05-26T05:50:24.83649455Z"
        }
    ]
}
References
Credits

Affected packages

npm / @tailwind-core/postcss

Package

Name
@tailwind-core/postcss
View open source insights on deps.dev
Purl
pkg:npm/%40tailwind-core%2Fpostcss

Affected ranges

Affected versions

4.*
4.3.0

Database specific

indicators 
{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "9b2a480bfd70b67463f3eefd8171c7be39b53c81ac697d494eb160a92ea9c8d8",
            "tlsh": "70216b22c5644c730ad512c06df91122a6b7881789d87d4937c7822d4fcd6aba2be7cf"
        },
        {
            "path": "README.md",
            "sha256": "0991b74ef78a781f294abe4aaae9d150f47aef89f917ef275df0b565e8571423",
            "tlsh": "c761746b809d3d3f0912618087d03195d7a3512bda90756bbca680397bed222f27fac7"
        }
    ],
    "package_integrity": [
        {
            "filename": "postcss-4.3.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-VNDrWOUo3UFCLNu0aAPkftueYVFUVqm2TgErUJ5WK0L2K5c2ywv1Jsoo/kmGrmM2zeCNeC+Ym7DIVNncEAMz3Q==",
                "sha1": "9e79707fe1af2a35ed37f5976309f130e3744594"
            }
        }
    ],
    "domains": [
        "34.0.16.104.in-addr.arpa"
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/postcss/MAL-2026-4450.json"