{"id":"MAL-2026-4449","summary":"Malicious code in @tailwind-core/oxide-win32-x64-msvc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d93cb69a6f12f5739ab03d78641f2a79179750b6182f65ba5b8fb8ec4a1399bc)\nThe package name `@tailwind-core/oxide-win32-x64-msvc` impersonates the legitimate Tailwind CSS scope `@tailwindcss` (published by tailwindlabs). The README claims this is the win32-x64-msvc binary for Tailwind v4's Rust engine `@tailwindcss/oxide`, but the source repository is `github.com/QaLemos/tailwind-core`, which has no association with Tailwind Labs. The package's `main` entry is a 3.1 MB compiled `.node` native addon with no accompanying JavaScript wrapper or source, so its behavior cannot be audited. Because consumers typically receive this package as an optional/platform dependency of the parent `@tailwind-core/oxide` package, a `require()` resolves directly to the opaque native binary and executes arbitrary native code in the consumer's Node.js process at load time. The combination of scope-level typosquat against a top-tier package, publisher mismatch, and an unverifiable native payload as the sole artifact matches a namespace-abuse-with-native-payload shape.\n","modified":"2026-05-27T00:32:05.801215904Z","published":"2026-05-20T03:22:12Z","withdrawn":"2026-05-26T20:46:07Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["4.3.0"],"import_time":"2026-05-26T05:50:39.540018577Z","id":"IN-MAL-2026-003446","sha256":"d93cb69a6f12f5739ab03d78641f2a79179750b6182f65ba5b8fb8ec4a1399bc","modified_time":"2026-05-20T03:22:12Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@tailwind-core/oxide-win32-x64-msvc/v/4.3.0"}],"affected":[{"package":{"name":"@tailwind-core/oxide-win32-x64-msvc","ecosystem":"npm","purl":"pkg:npm/%40tailwind-core%2Foxide-win32-x64-msvc"},"versions":["4.3.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/oxide-win32-x64-msvc/MAL-2026-4449.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"4cf05923c2365d330adc5e8048ea32c296b3580744887d497bcbc99c0faca17727c1ee","path":"package.json","sha256":"4d2106fcfb2e8034927fd2b674ab3ff3c6cc595dbca31f84f14e4ede07bfddcd"}],"package_integrity":[{"hashes":{"sha1":"4d63d8490181cddcff7a16dedb093bc527b20dd6","sha512_sri":"sha512-7sBVFy0nMCmgsdjX3DJxlbhJf6qepzLofPNvgAyRYePCzvcTVaYTSPeig6bkr366Ji2aqSH8flflcCob1JcqzA=="},"filename":"oxide-win32-x64-msvc-4.3.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}