npm · Malicious package advisory
Malware@tailwind-core/oxide-linux-x64-gnu
MAL-2026-4448
Malicious code in @tailwind-core/oxide-linux-x64-gnu (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a107a0746f2f5159d661e4d332eac53f871b9d22f80caf5863bdd713e252ae00) The package name '@tailwind-core/oxide-linux-x64-gnu' impersonates the legitimate Tailwind CSS v4 oxide engine package '@tailwindcss/oxide-linux-x64-gnu' published under the tailwindlabs scope. Version 4.3.0 mirrors Tailwind's release line, increasing the chance of accidental adoption via typo or dependency-confusion. The repository URL in package.json points to 'github.com/QaLemos/tailwind-core.git', a personal account with no relationship to the tailwindlabs publisher. The package ships a single 2.9 MB native binary 'tailwind-core-oxide.linux-x64-gnu.node' declared as `main`; on `require()`, Node loads the native module via napi_register_module_v1 and executes attacker-controlled code. No source is shipped, so the binary's behavior cannot be inspected. The combination of an exact-scope-rename of a top-tier package, version-line mirroring, publisher mismatch, and an opaque native payload that executes on require is the typosquat-with-payload shape: name confusion supplies the distribution, and the unverifiable native binary supplies the import-time execution surface.
Compromised versions (1)
- 4.3.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.