MAL-2026-4452

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/webpack/MAL-2026-4452.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4452

Withdrawn

2026-05-26T20:46:07Z

Published

2026-05-20T01:16:03Z

Modified

2026-05-27T00:32:06.797463745Z

Summary

Malicious code in @tailwind-core/webpack (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3)

Package @tailwind-core/webpack impersonates the legitimate Tailwind v4 webpack loader @tailwindcss/webpack. The README copies Tailwind Labs branding by linking logo assets at raw.githubusercontent.com/tailwindlabs/tailwind-core/HEAD/.github/logo-light.svg and claims a tailwind-core.com homepage, while the actual repo is QaLemos/tailwind-core (not Tailwind Labs). The loader code itself is a faithful copy of the upstream loader and performs no direct network or credential activity, but package.json pins three sibling typosquats as dependencies (tailwind-core@4.3.0, @tailwind-core/node@4.3.0, @tailwind-core/oxide@4.3.0), all sharing the same impersonated namespace and identical version. Installing this package transitively pulls those sibling packages into the installer's dependency tree, which is the namespace-abuse delivery vector — the lure looks like the official Tailwind v4 webpack loader and silently brings attacker-controlled siblings along.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003352",
            "versions": [
                "4.3.0"
            ],
            "sha256": "037a86564830bb02e1e68c91bcac017a5eee7139f1e6badf5053da1ed429f5fa",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T01:16:04Z",
            "import_time": "2026-05-26T05:50:28.71858756Z"
        },
        {
            "id": "IN-MAL-2026-003351",
            "import_time": "2026-05-26T05:50:28.593514418Z",
            "sha256": "7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T01:16:03Z",
            "versions": [
                "4.3.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/@tailwind-core/webpack/v/4.3.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @tailwind-core/webpack

Package

Name: @tailwind-core/webpack; View open source insights on deps.dev
Purl: pkg:npm/%40tailwind-core%2Fwebpack

Affected ranges

Affected versions

4.*

4.3.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "cde9e55dbf1eb1163e7472ccaa1431f68351568ec1a2c564b8846801d9c7d22a",
            "tlsh": "70115922c1745d7306d811d098e91227a2b78c174d987d493ac3811d4bccaeb62bf6df"
        }
    ],
    "package_integrity": [
        {
            "filename": "webpack-4.3.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-xijZYl0KlTwa/3EERsPtypj8btE8Mrr1Y9hOJHyurr6sZlR0VijnMGvmYx2e3taMJZo4pBJzGtDdLWOdAPc92Q==",
                "sha1": "f79a49a15aa02eee6c9bd9519f65a0da2ed1fa37"
            }
        }
    ],
    "domains": [
        "34.10.16.104.in-addr.arpa",
        "34.6.16.104.in-addr.arpa"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/webpack/MAL-2026-4452.json"