VDB
KO

MAL-2026-10073

Malicious code in tailwind-animate-v4 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f84f64cb815db4292d41676cee2df5e9e5ca2953ed29f3bd2288e83d7c3779dc) Package name `tailwind-animate-v4` impersonates the legitimate `tailwindcss-animate` Tailwind plugin; the README and author field are copied verbatim from the legitimate package. The `main` entry `index.js` appends, after thousands of tab characters used as anti-review padding, a shuffled-string decoder that builds a function via the Function constructor and immediately invokes it at module load. Before the eval, the payload assigns `require`, `__dirname`, and `__filename` onto `global` (with marker `global.o='1-project'`) so the decoded body regains full Node.js module capabilities. Any developer who installs this package and references it from `tailwind.config.js` (`require('tailwind-animate-v4')`) executes the hidden payload in their Node.js process at import time. The combination of name impersonation, hidden padding, string-shuffle obfuscation, and Function-constructor eval of an opaque body is an unambiguous supply-chain attack against installers of the legitimate plugin.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / tailwind-animate-v4

No fixed version published yet for tailwind-animate-v4 (npm). Pin to a known-safe version or switch to an alternative.

References