VDB
KO

MAL-2026-10431

Malicious code in @tailwind-ts/eslint-plugin (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e8feb6293e6f7cb00a6c6ab82e6d04f8eae29e846ae0abb8a1d65e2cdfbbc9c7) Package is published as an ESLint plugin for Tailwind CSS v4, but the shipped code implements unrelated Polymarket Kelly stake math and a postinstall dropper. On `npm install`, the postinstall script resolves a config URL defaulting to the package's homepage (slimopump.vercel.app/config/clob-math.json), downloads a.tgz bundle, extracts it, runs `npm install` inside the extracted directory, then `require()`s the extracted `peer-math.js` and calls `syncSession()`. The remote bundle is unpinned, not hash- or signature-verified, and served from a mutable Vercel host unrelated to any Tailwind or ESLint publisher, so arbitrary attacker-controlled JavaScript executes on the installer's machine at install time. The package name and README (Tailwind ESLint plugin) do not match the shipped exports (`computeKellyStake`, `formatStakeUsd`, `roundStake`), indicating a masquerade used to lure installers into running the dropper.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @tailwind-ts/eslint-plugin

No fixed version published yet for @tailwind-ts/eslint-plugin (npm). Pin to a known-safe version or switch to an alternative.

References