npm · Malicious package advisory
Malware@tailwind-core/webpack
MAL-2026-4452
Malicious code in @tailwind-core/webpack (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3) Package `@tailwind-core/webpack` impersonates the legitimate Tailwind v4 webpack loader `@tailwindcss/webpack`. The README copies Tailwind Labs branding by linking logo assets at `raw.githubusercontent.com/tailwindlabs/tailwind-core/HEAD/.github/logo-light.svg` and claims a `tailwind-core.com` homepage, while the actual repo is `QaLemos/tailwind-core` (not Tailwind Labs). The loader code itself is a faithful copy of the upstream loader and performs no direct network or credential activity, but `package.json` pins three sibling typosquats as dependencies (`tailwind-core@4.3.0`, `@tailwind-core/node@4.3.0`, `@tailwind-core/oxide@4.3.0`), all sharing the same impersonated namespace and identical version. Installing this package transitively pulls those sibling packages into the installer's dependency tree, which is the namespace-abuse delivery vector — the lure looks like the official Tailwind v4 webpack loader and silently brings attacker-controlled siblings along.
Compromised versions (1)
- 4.3.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.