{"id":"MAL-2026-10550","summary":"Malicious code in better-tailwindcss (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (302c3b7766a431cefe81d41434fd4c5aae74aacec230488bd004eca18cbe8dff)\nThe package publishes under the name of the legitimate `better-tailwindcss` project but its package.json declares both a runtime and dev dependency on `better-tailwindcss` resolved from `http://pack.nppacks.com/npm/better-tailwindcss` — a plain-HTTP, non-registry host with no integrity hash and no TLS. On `npm install`, npm fetches and installs that arbitrary, mutable tarball, and any install/postinstall scripts inside it execute on the installer's machine. The shipped code itself is a Babel plugin clone unrelated to the real better-tailwindcss project (a tailwind ESLint plugin) and carries a self-label describing the package as being for 'Security Research Testing Purpose,' confirming it is a namespace squat used as a delivery vehicle for code hosted at pack.nppacks.com.\n","modified":"2026-07-15T19:05:40.892282684Z","published":"2026-07-14T04:35:12Z","database_specific":{"malicious-packages-origins":[{"sha256":"302c3b7766a431cefe81d41434fd4c5aae74aacec230488bd004eca18cbe8dff","source":"amazon-inspector","versions":["4.6.3"],"id":"IN-MAL-2026-010391","import_time":"2026-07-14T05:49:18.918263394Z","modified_time":"2026-07-14T04:35:12Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/better-tailwindcss/v/4.6.3"}],"affected":[{"package":{"name":"better-tailwindcss","ecosystem":"npm","purl":"pkg:npm/better-tailwindcss"},"versions":["4.6.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/better-tailwindcss/MAL-2026-10550.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"path":"package.json","sha256":"9f7cc1544cc6cec136b6a262c58848b24e4604f402911eff0552f86f1f42c789","tlsh":"baf04c56ce22ae7344d631502f665006f25159472c19fe0832cf672e4a8e0ef71f415e"},{"sha256":"f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41","tlsh":"71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1","path":"index.js"}],"package_integrity":[{"filename":"better-tailwindcss-4.6.3.tgz","hashes":{"sha512_sri":"sha512-Ww+jHuid3pRK8Zc7llnM0B0GW5EfHzlCECXuzQ5xQtc9wRW8SdN86GsrUhV82FoGxD3OKBWSwTC+utp4XpyuHA==","sha1":"b6d5a6ef90307a21a69efa16afad9b6d14fa537a"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}