MAL-2026-10073
Malicious code in tailwind-animate-v4 (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f84f64cb815db4292d41676cee2df5e9e5ca2953ed29f3bd2288e83d7c3779dc) Package name `tailwind-animate-v4` impersonates the legitimate `tailwindcss-animate` Tailwind plugin; the README and author field are copied verbatim from the legitimate package. The `main` entry `index.js` appends, after thousands of tab characters used as anti-review padding, a shuffled-string decoder that builds a function via the Function constructor and immediately invokes it at module load. Before the eval, the payload assigns `require`, `__dirname`, and `__filename` onto `global` (with marker `global.o='1-project'`) so the decoded body regains full Node.js module capabilities. Any developer who installs this package and references it from `tailwind.config.js` (`require('tailwind-animate-v4')`) executes the hidden payload in their Node.js process at import time. The combination of name impersonation, hidden padding, string-shuffle obfuscation, and Function-constructor eval of an opaque body is an unambiguous supply-chain attack against installers of the legitimate plugin.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for tailwind-animate-v4 (npm). Pin to a known-safe version or switch to an alternative.