MAL-2026-5973

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bd50696fc7ff4ed1899df5a40dc90cbb7b5480f083bca92a2272884d7540783e) classbreeze-utils ships a heavily obfuscated dropper appended to a copied @tailwindcss/typography plugin in src/index.js. On require(), a setTimeout fires a function that decodes an RC4-encrypted string array to construct an OS-specific remote URL (branching on win32/darwin/linux and reading %APPDATA% on Windows), fetches a binary via fetch(), writes it under os.homedir() (or %APPDATA%/Microsoft) with mode 0o700, then launches it via child_process.spawn with detached:true and stdio ignored. The package name is unrelated to Tailwind, but README.md is copied verbatim from @tailwindcss/typography (including '<h1>tailwindTYPOGRAPHY Style</h1>' and install instructions rewritten to 'npm install -D classbreeze-utils' / '@plugin "classbreeze-utils"'), so developers following copy-pasted Tailwind setup snippets can be tricked into installing it. The string-array obfuscation (shuffler with while(!![]) + push/shift on parseInt match, base64+URI+RC4 decoders) hides the module names ('fs','path','child_process'), OS detection branches, the download URL, and the dropped-file path. No version pinning, no signature verification, executable bit set, detached process — a textbook generic-binary dropper running at module load.