{"id":"MAL-2026-4448","summary":"Malicious code in @tailwind-core/oxide-linux-x64-gnu (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a107a0746f2f5159d661e4d332eac53f871b9d22f80caf5863bdd713e252ae00)\nThe package name '@tailwind-core/oxide-linux-x64-gnu' impersonates the legitimate Tailwind CSS v4 oxide engine package '@tailwindcss/oxide-linux-x64-gnu' published under the tailwindlabs scope. Version 4.3.0 mirrors Tailwind's release line, increasing the chance of accidental adoption via typo or dependency-confusion. The repository URL in package.json points to 'github.com/QaLemos/tailwind-core.git', a personal account with no relationship to the tailwindlabs publisher. The package ships a single 2.9 MB native binary 'tailwind-core-oxide.linux-x64-gnu.node' declared as `main`; on `require()`, Node loads the native module via napi_register_module_v1 and executes attacker-controlled code. No source is shipped, so the binary's behavior cannot be inspected. The combination of an exact-scope-rename of a top-tier package, version-line mirroring, publisher mismatch, and an opaque native payload that executes on require is the typosquat-with-payload shape: name confusion supplies the distribution, and the unverifiable native binary supplies the import-time execution surface.\n","modified":"2026-05-27T00:32:05.749223658Z","published":"2026-05-20T19:31:05Z","withdrawn":"2026-05-26T20:46:07Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"49cf27628927e98f949219168f4167d2551353200e78ff52f02e2ef57b0211f4","import_time":"2026-05-26T05:50:56.657988496Z","modified_time":"2026-05-20T19:31:05Z","id":"IN-MAL-2026-003602","versions":["4.3.0"]},{"versions":["4.3.0"],"sha256":"a107a0746f2f5159d661e4d332eac53f871b9d22f80caf5863bdd713e252ae00","import_time":"2026-05-26T05:50:56.54608648Z","modified_time":"2026-05-20T19:31:05Z","id":"IN-MAL-2026-003601","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@tailwind-core/oxide-linux-x64-gnu/v/4.3.0"}],"affected":[{"package":{"name":"@tailwind-core/oxide-linux-x64-gnu","ecosystem":"npm","purl":"pkg:npm/%40tailwind-core%2Foxide-linux-x64-gnu"},"versions":["4.3.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/oxide-linux-x64-gnu/MAL-2026-4448.json","indicators":{"package_integrity":[{"hashes":{"sha1":"758755806c7718e79af011bfc2d9c65ac84c5be0","sha512_sri":"sha512-YxOTtvmSHo52tVyVrs0gd19DNmPN44aYuWUqFHejsThoVrnkrPD2YH3+Z0QVwSOcnsU/IAscDdxfiLIFw//+yw=="},"filename":"oxide-linux-x64-gnu-4.3.0.tgz"}],"domains":["34.2.16.104.in-addr.arpa"],"evidence_files":[{"path":"package.json","sha256":"1123b4c6b433935531a102dacab6c32c5aa67c2959c74c30a2fec700ee78c4e6","tlsh":"42f08b13e2348d330aec1a508ede02c256b30887c4583c197acb811c0b7c613617c4ea"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}