MAL-2026-5487

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-form/MAL-2026-5487.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5487

Published

2026-06-09T20:09:10Z

Modified

2026-06-09T21:01:36.579297350Z

Summary

Malicious code in tailwind-form (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (37a2959fd43465328b090afd0464e0e3de0e1677ecd2068d4ef05bdfe5867b79)

tailwind-form is a typosquat of the legitimate @tailwindcss/forms plugin (README and repository field are copied from tailwindlabs/tailwindcss-forms, but the package is published under an unrelated name by an unaffiliated author). The main module src/index.js ends with an eval that fetches https://www.jsonkeeper.com/b/NFTTN via axios and eval's the returned JSON field content_o. Any project that requires this package executes whatever JavaScript is currently hosted at that public, author-mutable paste URL — giving the publisher unconditional remote code execution on every installer's machine at module-load time.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T20:09:10Z",
            "versions": [
                "0.5.12"
            ],
            "sha256": "37a2959fd43465328b090afd0464e0e3de0e1677ecd2068d4ef05bdfe5867b79",
            "id": "IN-MAL-2026-005189",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:50.355431299Z"
        }
    ]
}

References

https://www.npmjs.com/package/tailwind-form/v/0.5.12

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / tailwind-form

Package

Name: tailwind-form; View open source insights on deps.dev
Purl: pkg:npm/tailwind-form

Affected ranges

Affected versions

0.*

0.5.12

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "c7cf538be94011e3ee10d9e5dbe2f7ab85a79522c5775d79008bf063fce23156",
            "tlsh": "23524417e172421f2d73496e91eda9c4e306632b826019a3f8bc54700ffb584aa67e7d",
            "path": "src/index.js"
        },
        {
            "sha256": "26520df5e3ccef49d1c0bd319f809c5d3969916ea9383fff103332aecba08b42",
            "tlsh": "9f219e33cd444e3745b06671e6b80643f287572b9128e84f31fa819c8f766b7d094a5f",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-GXVtf2BH94DWs/YfdLZ/C/obLbyaWWmjtB3BDjjrXY4xp8sAk0I4r/lw+S//lQlZzcYAQs+qbL5jP2UIkK6pvA==",
                "sha1": "d03fcd28cf7f62d08de8cb0da83955d64398304c"
            },
            "filename": "tailwind-form-0.5.12.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-form/MAL-2026-5487.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]