{"id":"MAL-2026-4450","summary":"Malicious code in @tailwind-core/postcss (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1dab944715339b0fabcf954a92fd33faacbb4d878368c36ea5a7d26d72fe2e56)\nPackage name @tailwind-core/postcss is a one-character-class edit of the official @tailwindcss/postcss (Tailwind CSS v4 PostCSS plugin), published under the unrelated @tailwind-core scope by GitHub user QaLemos with homepage tailwind-core.com. The package's main entry dist/index.js performs require(\"@tailwind-core/node\") and require(\"@tailwind-core/oxide\") — both typosquats of the legitimate @tailwindcss/node and @tailwindcss/oxide siblings — and declares them as version-pinned dependencies (4.3.0), so installing this package silently pulls the attacker-controlled @tailwind-core/* family into the consumer's dependency tree. Whatever code those siblings contain auto-executes when the PostCSS plugin is loaded by a consumer's build. The README compounds the deception by displaying npm/version/downloads/license badges sourced from tailwindlabs/tailwindcss while linking issue/discussion targets back to QaLemos/tailwind-core, presenting metrics of the legitimate project as if they belonged to this fork.\n","modified":"2026-05-27T00:32:06.761275461Z","published":"2026-05-20T00:24:18Z","withdrawn":"2026-05-26T20:46:07Z","database_specific":{"malicious-packages-origins":[{"sha256":"1dab944715339b0fabcf954a92fd33faacbb4d878368c36ea5a7d26d72fe2e56","modified_time":"2026-05-20T00:24:18Z","import_time":"2026-05-26T05:50:24.734645318Z","id":"IN-MAL-2026-003316","versions":["4.3.0"],"source":"amazon-inspector"},{"sha256":"b6943d366cdae1c8ce59319a3b566ff1e0b3b17e4641671a5a2bbc83517683ce","modified_time":"2026-05-20T00:24:18Z","import_time":"2026-05-26T05:50:24.83649455Z","id":"IN-MAL-2026-003317","versions":["4.3.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@tailwind-core/postcss/v/4.3.0"}],"affected":[{"package":{"name":"@tailwind-core/postcss","ecosystem":"npm","purl":"pkg:npm/%40tailwind-core%2Fpostcss"},"versions":["4.3.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"70216b22c5644c730ad512c06df91122a6b7881789d87d4937c7822d4fcd6aba2be7cf","sha256":"9b2a480bfd70b67463f3eefd8171c7be39b53c81ac697d494eb160a92ea9c8d8","path":"package.json"},{"tlsh":"c761746b809d3d3f0912618087d03195d7a3512bda90756bbca680397bed222f27fac7","sha256":"0991b74ef78a781f294abe4aaae9d150f47aef89f917ef275df0b565e8571423","path":"README.md"}],"package_integrity":[{"filename":"postcss-4.3.0.tgz","hashes":{"sha1":"9e79707fe1af2a35ed37f5976309f130e3744594","sha512_sri":"sha512-VNDrWOUo3UFCLNu0aAPkftueYVFUVqm2TgErUJ5WK0L2K5c2ywv1Jsoo/kmGrmM2zeCNeC+Ym7DIVNncEAMz3Q=="}}],"domains":["34.0.16.104.in-addr.arpa"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/postcss/MAL-2026-4450.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}