MAL-2026-4451

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/vite/MAL-2026-4451.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4451
Withdrawn
2026-05-26T20:46:07Z
Published
2026-05-19T23:54:08Z
Modified
2026-05-27T00:32:06.793393137Z
Summary
Malicious code in @tailwind-core/vite (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1f9a00740b85c3ce7b36a9ba242f3eccc9ebf3d4f626ab911342c50d63b48805)

The package name @tailwind-core/vite impersonates the official @tailwindcss/vite plugin from tailwindlabs, and its package.json declares three dependencies — @tailwind-core/node@4.3.0, tailwind-core@4.3.0, and @tailwind-core/oxide@4.3.0 — that mirror the official @tailwindcss/node, tailwindcss, and @tailwindcss/oxide packages. The README copies Tailwind branding, including a logo srcset pointing at tailwindlabs/tailwind-core, but the repository is owned by an unrelated account (QaLemos), not tailwindlabs. While dist/index.mjs in this tarball appears to be a copy of the legitimate Tailwind Vite plugin with no overt payload, installing this package silently pulls in three sibling typosquatted packages under the same attacker-controlled namespace. A developer who mistypes the official scope and runs npm install @tailwind-core/vite ends up with attacker-controlled code from the sibling packages in their dependency tree.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "1f9a00740b85c3ce7b36a9ba242f3eccc9ebf3d4f626ab911342c50d63b48805",
            "id": "IN-MAL-2026-003306",
            "import_time": "2026-05-26T05:50:23.546934729Z",
            "modified_time": "2026-05-19T23:54:08Z",
            "versions": [
                "4.3.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "4.3.0"
            ],
            "id": "IN-MAL-2026-003307",
            "import_time": "2026-05-26T05:50:23.7020961Z",
            "modified_time": "2026-05-19T23:54:09Z",
            "sha256": "cb9dde628a04d805d26041556263f1c6693ac76453942cee8b535daee2230381",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @tailwind-core/vite

Package

Name
@tailwind-core/vite
View open source insights on deps.dev
Purl
pkg:npm/%40tailwind-core%2Fvite

Affected ranges

Affected versions

4.*
4.3.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "df4d860cc8dd1dfb0732b8b1f460393ba26b58ee0386cfe046d716004222c486",
            "tlsh": "47115b26c5745cb307d915d0acf91113a2b3581789d87d4536c7811d4bcda97a0be2df",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "vite-4.3.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-UOjss9ConvVxb4dacJyiLr7AZQBWcGpXKOPGhV0BC+yJs2r0jEHTqjEzjwfsmlCBdMk/oB+GTN26cC5UMYxSng==",
                "sha1": "9d19ec05feefc334500bbfa3942b3de90aac1110"
            }
        }
    ],
    "domains": [
        "34.5.16.104.in-addr.arpa",
        "34.2.16.104.in-addr.arpa"
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/vite/MAL-2026-4451.json"