MAL-2026-5618

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-animator-scroll/MAL-2026-5618.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5618
Published
2026-06-11T07:39:13Z
Modified
2026-06-11T08:01:32.823212418Z
Summary
Malicious code in tailwind-animator-scroll (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f89c3c4c01375bc7baef213c815a901ac3947eaf3835aa80ea67a725ece8d533)

The package's main entry src/index.js appends, after a large whitespace gap following the legitimate-looking Tailwind plugin code, an eval(atob('Z2xvYmFsWychJ109JzExJzt2YXIgXyRfMWU0Mj0...')) call. The decoded first stage re-exposes Node's require and module as global aliases (global['c']=require, etc. — typo-style obfuscation) and then invokes a second-stage IIFE that uses a custom shuffle decoder plus the Function() constructor to assemble and execute a further opaque payload. Because this lives in the main entry, simply adding the plugin to tailwind.config.js executes attacker-controlled code inside the developer's build environment, where CI tokens, environment variables, source code, and credentials are all reachable. The package additionally impersonates the legitimate tailwindcss-animationfound plugin: the README copies its CSS class names and API surface verbatim, the install snippet uses yet another misspelling (tailwind-animatior-scroll), and a shields.io badge links to the real tailwindcss-animationfound package — a typosquat lure designed to catch developers who mistype or fuzzy-search for the legitimate plugin.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005708",
            "versions": [
                "1.7.0"
            ],
            "sha256": "ba3df97ff156b8e1e30b41be70b8a14bf5ca95949640fb51a96b3369231cf372",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:39:14Z",
            "import_time": "2026-06-11T07:49:43.362789663Z"
        },
        {
            "id": "IN-MAL-2026-005707",
            "versions": [
                "1.7.0"
            ],
            "sha256": "f89c3c4c01375bc7baef213c815a901ac3947eaf3835aa80ea67a725ece8d533",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:39:13Z",
            "import_time": "2026-06-11T07:49:43.287752429Z"
        }
    ]
}
References
Credits

Affected packages

npm / tailwind-animator-scroll

Package

Name
tailwind-animator-scroll
View open source insights on deps.dev
Purl
pkg:npm/tailwind-animator-scroll

Affected ranges

Affected versions

1.*
1.7.0

Database specific

cwes 
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "src/index.js",
            "sha256": "0a80cc4b7c4b222c859f83d9233174528a30bd7e763c11843199c9672849d1cb",
            "tlsh": "cef18db1bf9054bad34b634342686a09101b9d4e0c5c1cd9778ccc9a0fa9f118b6dfad"
        },
        {
            "path": "README.md",
            "sha256": "70d0982e278abaf01c3dea7398b2ecba083091cb7a07d7a9481a8368e031ca86",
            "tlsh": "6df1ffd3b12a273903a38273129f2811ccf659c5f1295ca9bdbd412d97b9938932f279"
        }
    ],
    "package_integrity": [
        {
            "filename": "tailwind-animator-scroll-1.7.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-YoFQuHpuiAnaObIxKPzhSel08QDua0zioYtHR/6ht/xYet/yY2BWkoopBEJSUu0C7hF6yRgjmaDK79eZ1imNcw==",
                "sha1": "3be855c4d14422515df31cec629dcfc37f1ab92f"
            }
        }
    ],
    "domains": [
        "api.trongrid.io",
        "bsc-dataseed.binance.org",
        "fullnode.mainnet.aptoslabs.com",
        "bootstrap.pypa.io"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-animator-scroll/MAL-2026-5618.json"