VYPR

npm · Malicious package advisory

Malware

@tailwind-core/oxide-win32-x64-msvc

MAL-2026-4449

Malicious code in @tailwind-core/oxide-win32-x64-msvc (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d93cb69a6f12f5739ab03d78641f2a79179750b6182f65ba5b8fb8ec4a1399bc)
The package name `@tailwind-core/oxide-win32-x64-msvc` impersonates the legitimate Tailwind CSS scope `@tailwindcss` (published by tailwindlabs). The README claims this is the win32-x64-msvc binary for Tailwind v4's Rust engine `@tailwindcss/oxide`, but the source repository is `github.com/QaLemos/tailwind-core`, which has no association with Tailwind Labs. The package's `main` entry is a 3.1 MB compiled `.node` native addon with no accompanying JavaScript wrapper or source, so its behavior cannot be audited. Because consumers typically receive this package as an optional/platform dependency of the parent `@tailwind-core/oxide` package, a `require()` resolves directly to the opaque native binary and executes arbitrary native code in the consumer's Node.js process at load time. The combination of scope-level typosquat against a top-tier package, publisher mismatch, and an unverifiable native payload as the sole artifact matches a namespace-abuse-with-native-payload shape.

Compromised versions (1)

  • 4.3.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.