{"id":"MAL-2026-3776","summary":"Malicious code in typography-stylecss (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4eeb50f69746fd21696baaa7d3534bbd22489edb037742ca591d49ca88981f70)\nThe package impersonates the legitimate @tailwindcss/typography plugin: README, src/index.js, src/utils.js, and src/styles.js are copied verbatim from the Tailwind Labs plugin, and peerDependencies lists tailwindcss to reinforce the masquerade, but the package is published under the unrelated name typography-stylecss. Appended to src/index.js after the legitimate `module.exports = plugin.withOptions(...)` is an obfuscator.io-style payload (hex-named identifiers _0x168f6b, _0x3fc27f, etc., with a rotated string table _0x5975). Decoded string-table fragments include platform branching ('win32', 'windows', 'agent-linux-') and a URL path template `/agents/\u003cdeploymentHash\u003e` built against a base URL read from a `__SSTAR_API_BASE` global, consistent with downloading a platform-specific agent binary and executing it. Because this code sits at module top level, it fires on `require('typography-stylecss')` / `import 'typography-stylecss'` — exactly the usage the cloned README instructs developers to add to their `tailwind.config.js`. Any build or dev server that loads the Tailwind config will trigger the dropper, which fetches and runs an attacker-controlled native binary on the installer's machine.\n","modified":"2026-05-15T07:51:42.071501Z","published":"2026-05-14T19:25:18Z","database_specific":{"malicious-packages-origins":[{"sha256":"4eeb50f69746fd21696baaa7d3534bbd22489edb037742ca591d49ca88981f70","id":"IN-MAL-2026-002713","import_time":"2026-05-15T07:37:17.770978187Z","source":"amazon-inspector","versions":["0.7.4"],"modified_time":"2026-05-14T19:25:18Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/typography-stylecss/v/0.7.4"}],"affected":[{"package":{"name":"typography-stylecss","ecosystem":"npm","purl":"pkg:npm/typography-stylecss"},"versions":["0.7.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/typography-stylecss/MAL-2026-3776.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-tiNS5Yl8VmA6Wege03VgUvcFKFce6rvsxUPd9Zp3Y/A9r0PcHTOXiUTKCOvHv7IuMVs4F1kZgK1QfrUxGRSYwA==","sha1":"36f545aa6e3a8aa2f6b12cf22419049fc3fe89c1"},"filename":"typography-stylecss-0.7.4.tgz"}],"evidence_files":[{"sha256":"227b58b46968b0f0771baf98a224bfcc400f77ed127d714237f6450f58771062","path":"src/index.js","tlsh":"cc827354b6c6b080138b9b77221fb0e9e12e06cb794c1857f15c78d0bf78619d6eae78"},{"sha256":"a37c94468ea42b0b0a7fb46bd6c689268190093975372c6982e371ac118c56e1","path":"package.json","tlsh":"fb31df10dd148eb341d5686a99381517a962c4539a68fc0c33c6478c4f0e2bfa0fe5ee"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}