MAL-2026-4680

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0818530f40672586168012538662486135f040526d0e4377f362b6bfe2f61bd2)

The package name impersonates the official @tailwindcss/typography plugin and replicates its README and source verbatim (including links to tailwindlabs/tailwindcss-typography), but src/index.js appends an obfuscated IIFE that runs whenever a consumer require()s the package. The trailing block uses a custom Fisher-Yates-style shuffle decoder (sfL) to reconstruct the strings 'require', 'module', and 'constructor' from a scrambled alphabet, resolves the Function constructor via String.constructor (dgC=sfL[EKc]), builds a function from a decoded payload (xBg=dgC(Apa, sfL(joW))), and immediately invokes it with a second decoded blob (Tgw(2509)). This is eval-of-opaque-string at module load time, hidden behind a custom decoder specifically designed to defeat static review. Any project that adopts this 'plugin' executes attacker-controlled JavaScript inside its build process, with full access to the developer's environment, source tree, and any credentials reachable from the build host. The combination of (a) deliberate name impersonation of a top-tier Tailwind package, (b) verbatim cover-story README/code, and (c) injected obfuscated Function-constructor execution leaves no benign interpretation.

Source: ghsa-malware (6be3309e5c75c7b9384af322a3177e1264bb20d7d63a49ba2d450d5ca4cf7901)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.