VYPR
← All malware advisories

npm · Malicious package advisory

Malware

tw-theme-kit

MAL-2026-5935

Malicious code in tw-theme-kit (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0144b9ea6743e481e49885f6375a8aa990e9a20bfc5da1148b7df59a9370736c)
The published entrypoints dist/index.cjs and dist/runtime.cjs contain an injected IIFE that assigns `global.r = require` and `global.m = module`, tags the host with campaign id 'A6-Orion-271', uses a string-shuffle helper to reconstruct the identifier 'constructor', then invokes Function() on a deshuffled obfuscated blob and immediately calls the resulting function. Any consumer that does `require('tw-theme-kit')` or `import 'tw-theme-kit/runtime'` triggers attacker-controlled code at load time with full Node capabilities (fs, child_process, net) exposed via the globals. This behavior is unrelated to the package's stated purpose (a Tailwind theme plugin) and matches the fingerprint of the 'Orion' obfuscated-loader campaign. The.mjs builds and source-maps embed the same obfuscated literal, so no entrypoint is safe.

Compromised versions (1)

  • 1.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.