VYPR

npm · Malicious package advisory

Malware

tailwind-color-shades

MAL-2026-6471

Malicious code in tailwind-color-shades (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dfd681005962f5628f4394450bae9430992e58159e3256bb4af2bc156c5c1fc5)
The package's documented entry point `index.ts` begins with `import './src/bootstrap';`, which causes `src/bootstrap.js` to run whenever the module is required or imported. `src/bootstrap.js` is a custom string-shuffle obfuscator: a function `YWG(x)` deterministically unscrambles opaque string literals (e.g. `YWG('axhscuutcrogycrneotisjlnkdpfqmzovtrwb').substr(0,11)` reconstructs the literal `'constructor'`), then uses `Function.prototype.constructor` to build a `Function` from one shuffled blob, executes it on a second shuffled blob, and invokes the result via `XZs(7942)`. Before invoking the constructed code the bootstrap explicitly re-exposes Node capabilities to it via `global['r']=require; global['m']=module;`, granting the dynamically generated payload full filesystem, child_process, and network access. The package's advertised purpose is straightforward Tailwind color-shade math — a few dozen lines of pure arithmetic — so a hand-rolled string-shuffle obfuscator wrapping `Function`-constructed code at import time has no legitimate purpose. This is the standard supply-chain attack shape: opaque payload, evasion-only obfuscation, automatic execution on consumer import, full Node capability re-export.

Compromised versions (1)

  • 1.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.