MAL-2026-5935

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tw-theme-kit/MAL-2026-5935.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5935

Published

2026-06-16T22:21:38Z

Modified

2026-06-16T23:16:56.885859202Z

Summary

Malicious code in tw-theme-kit (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0144b9ea6743e481e49885f6375a8aa990e9a20bfc5da1148b7df59a9370736c)

The published entrypoints dist/index.cjs and dist/runtime.cjs contain an injected IIFE that assigns global.r = require and global.m = module, tags the host with campaign id 'A6-Orion-271', uses a string-shuffle helper to reconstruct the identifier 'constructor', then invokes Function() on a deshuffled obfuscated blob and immediately calls the resulting function. Any consumer that does require('tw-theme-kit') or import 'tw-theme-kit/runtime' triggers attacker-controlled code at load time with full Node capabilities (fs, child_process, net) exposed via the globals. This behavior is unrelated to the package's stated purpose (a Tailwind theme plugin) and matches the fingerprint of the 'Orion' obfuscated-loader campaign. The.mjs builds and source-maps embed the same obfuscated literal, so no entrypoint is safe.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0144b9ea6743e481e49885f6375a8aa990e9a20bfc5da1148b7df59a9370736c",
            "versions": [
                "1.1.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T22:21:38Z",
            "id": "IN-MAL-2026-006848",
            "import_time": "2026-06-16T23:03:43.703368387Z"
        }
    ]
}

References

https://www.npmjs.com/package/tw-theme-kit/v/1.1.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / tw-theme-kit

Package

Name: tw-theme-kit; View open source insights on deps.dev
Purl: pkg:npm/tw-theme-kit

Affected ranges

Affected versions

1.*

1.1.0

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "tw-theme-kit-1.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-wW+MgsdKOTDDfF3ldqEOFH84JJ4fxSXw6bjS6NXhtMTeXkIzuoGsXXKj2vvF58HTQCTQTxQASrYNLF08svZ0+A==",
                "sha1": "190b3a8c76e72928ba27eaeec223ee1dc79563f5"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "ce9e98ae597db38c523eb0141be40b29d462e22edffad6be38b562193ff278e6",
            "tlsh": "cc421985b7fa2623007394ed412b8016faa9b1421419f748f9ddd3e80f8a21ec9f57e9",
            "path": "dist/index.cjs"
        },
        {
            "sha256": "eea38ba44c83cf0fc821802e00dec564f35ba062ce3817517b7c4af41bc4510f",
            "tlsh": "83e13cc43bf97766217200a5121790067594b1838429f58cedeee3e90fda21f89f8bf9",
            "path": "dist/runtime.cjs"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tw-theme-kit/MAL-2026-5935.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]