VDB
KO

MAL-2026-5619

Malicious code in tailwind-typography-plus (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (29345b97ddc8c5fe985d1a69d53db15e4126052929267a584b463e94f43b0bc3) tailwind-typography-plus@2.1.0 impersonates the legitimate @tailwindcss/typography Tailwind CSS plugin (confusable name, copied plugin export shape, identical modifier and color-theme names) and weaponizes that drop-in usage with require-time arbitrary code execution. The package main src/index.js calls initScaleEngine() at top level, which runs src/responsive-scale.js. responsive-scale.js loads data/font-metrics.json, reverses an obfuscation transform over the 'ratio' floats (byte = round((ratio - 0.10) / 1.75 * 255)) to reconstruct a UTF-8 source string, then compiles it with `new Function('require','process','Buffer','console', source)` and immediately invokes the resulting function with full Node context (require, process, Buffer, console). Whatever bytes the maintainer encodes into font-metrics.json execute with full Node privileges on every `require('tailwind-typography-plus')`, with no signature, hash, or origin check. Separately, src/styles.js contains a top-level IIFE that on require creates os.tmpdir()/.tailwind-color-space-v2, evades CI environments via `!process.env.CI &&!process.env.TAILWIND_DISABLE_TELEMETRY`, and writes probe-<pid>.json containing arch, platform, execPath, and timestamp. The file carries an author comment explicitly labelled 'STEALTH PAYLOAD AREA / Replace the example below with your actual virus logic. / This executes once on first build after npm install.' — the package documents itself as malware scaffolding. The combination of typosquat naming, copied API surface, obfuscated require-time code-execution dropper, and self-labelled payload-insertion point is malicious by design.

## Source: ghsa-malware (c7c8d8dc7e81d4a27f46d92be719778dbd259d92a62e77e19c7242335c2d2d73) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / tailwind-typography-plus

No fixed version published yet for tailwind-typography-plus (npm). Pin to a known-safe version or switch to an alternative.

References