MAL-2026-4681

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-typography-stylecss/MAL-2026-4681.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4681
Published
2026-05-24T03:14:39Z
Modified
2026-05-26T06:02:57.682726157Z
Summary
Malicious code in tailwind-typography-stylecss (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (273b99f5721643d8ba8335fd73b46b4b32f81406d73f44e7a16552e16b8becd6)

Package name 'tailwind-typography-stylecss' impersonates the official '@tailwindcss/typography' plugin; the shipped README is a verbatim copy of the official package's documentation, instructing users to install under the squatted name. The package's main entry src/index.js contains the legitimate plugin source followed by an appended obfuscated payload that fires on every require()/import. The payload uses a bespoke shuffle-cipher decoder (function sfL with constants n=2667686, modulus 4289487) to recover the string 'constructor', then invokes Function.constructor on a decoded body string and calls the resulting function — a classic dynamic-eval-of-opaque-blob construction. Before invocation, the code explicitly assigns require and module onto the global object (global[_$1e42[0]]=require; global[$_1e42[2]]=module) so that the dynamically constructed Function — which normally has no closure access to module-scope identifiers — can still reach Node's require and module APIs. The combination of name impersonation, verbatim-legitimate-source-plus-appended-payload, custom obfuscator, Function-constructor execution, and deliberate re-exposure of require/module on globals leaves no benign interpretation. Any project that follows the README and require()s this package executes attacker-controlled code in the consumer's Node process.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-24T03:14:39Z",
            "versions": [
                "0.8.3"
            ],
            "sha256": "273b99f5721643d8ba8335fd73b46b4b32f81406d73f44e7a16552e16b8becd6",
            "id": "IN-MAL-2026-004456",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:38.158974559Z"
        },
        {
            "import_time": "2026-05-26T05:52:38.250863679Z",
            "versions": [
                "0.8.3"
            ],
            "sha256": "cfd980bf98e04f3932c894ad9adf8597ef9e71371c6782b28a592387bcb35799",
            "id": "IN-MAL-2026-004457",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T03:14:40Z"
        }
    ]
}
References
Credits

Affected packages

npm / tailwind-typography-stylecss

Package

Name
tailwind-typography-stylecss
View open source insights on deps.dev
Purl
pkg:npm/tailwind-typography-stylecss

Affected ranges

Affected versions

0.*
0.8.3

Database specific

indicators 
{
    "domains": [
        "api.trongrid.io",
        "bsc-dataseed.binance.org",
        "fullnode.mainnet.aptoslabs.com",
        "bootstrap.pypa.io"
    ],
    "evidence_files": [
        {
            "sha256": "2eafde87ed00532e9de263396629a4612f960ba7788c8fb199d5e88dfac6dc87",
            "tlsh": "6f021961209662a1034b115b0f4ed419f1aa89d75c1fb8a0f1fde1686f4824e8bb4eff",
            "path": "src/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "tailwind-typography-stylecss-0.8.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-36fs2n+nygI4YQDNce7yhaS2TTsX+IY/dheICPHymcFJuhdE6yyxO/q43B7l4jWgqPKF7H7YyepHGcLIycc1RQ==",
                "sha1": "d801da4cd7866e1adb9595506eea0d327fcb0be3"
            }
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-typography-stylecss/MAL-2026-4681.json"