VYPR

npm · Malicious package advisory

Malware

@tailwind-core/webpack

MAL-2026-4452

Malicious code in @tailwind-core/webpack (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3)
Package `@tailwind-core/webpack` impersonates the legitimate Tailwind v4 webpack loader `@tailwindcss/webpack`. The README copies Tailwind Labs branding by linking logo assets at `raw.githubusercontent.com/tailwindlabs/tailwind-core/HEAD/.github/logo-light.svg` and claims a `tailwind-core.com` homepage, while the actual repo is `QaLemos/tailwind-core` (not Tailwind Labs). The loader code itself is a faithful copy of the upstream loader and performs no direct network or credential activity, but `package.json` pins three sibling typosquats as dependencies (`tailwind-core@4.3.0`, `@tailwind-core/node@4.3.0`, `@tailwind-core/oxide@4.3.0`), all sharing the same impersonated namespace and identical version. Installing this package transitively pulls those sibling packages into the installer's dependency tree, which is the namespace-abuse delivery vector — the lure looks like the official Tailwind v4 webpack loader and silently brings attacker-controlled siblings along.

Compromised versions (1)

  • 4.3.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.