{"id":"MAL-2026-4451","summary":"Malicious code in @tailwind-core/vite (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1f9a00740b85c3ce7b36a9ba242f3eccc9ebf3d4f626ab911342c50d63b48805)\nThe package name @tailwind-core/vite impersonates the official @tailwindcss/vite plugin from tailwindlabs, and its package.json declares three dependencies — @tailwind-core/node@4.3.0, tailwind-core@4.3.0, and @tailwind-core/oxide@4.3.0 — that mirror the official @tailwindcss/node, tailwindcss, and @tailwindcss/oxide packages. The README copies Tailwind branding, including a logo srcset pointing at tailwindlabs/tailwind-core, but the repository is owned by an unrelated account (QaLemos), not tailwindlabs. While dist/index.mjs in this tarball appears to be a copy of the legitimate Tailwind Vite plugin with no overt payload, installing this package silently pulls in three sibling typosquatted packages under the same attacker-controlled namespace. A developer who mistypes the official scope and runs `npm install @tailwind-core/vite` ends up with attacker-controlled code from the sibling packages in their dependency tree.\n","modified":"2026-05-27T00:32:06.793393137Z","published":"2026-05-19T23:54:08Z","withdrawn":"2026-05-26T20:46:07Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-19T23:54:08Z","import_time":"2026-05-26T05:50:23.546934729Z","sha256":"1f9a00740b85c3ce7b36a9ba242f3eccc9ebf3d4f626ab911342c50d63b48805","versions":["4.3.0"],"id":"IN-MAL-2026-003306","source":"amazon-inspector"},{"modified_time":"2026-05-19T23:54:09Z","import_time":"2026-05-26T05:50:23.7020961Z","sha256":"cb9dde628a04d805d26041556263f1c6693ac76453942cee8b535daee2230381","versions":["4.3.0"],"id":"IN-MAL-2026-003307","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@tailwind-core/vite/v/4.3.0"}],"affected":[{"package":{"name":"@tailwind-core/vite","ecosystem":"npm","purl":"pkg:npm/%40tailwind-core%2Fvite"},"versions":["4.3.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"vite-4.3.0.tgz","hashes":{"sha1":"9d19ec05feefc334500bbfa3942b3de90aac1110","sha512_sri":"sha512-UOjss9ConvVxb4dacJyiLr7AZQBWcGpXKOPGhV0BC+yJs2r0jEHTqjEzjwfsmlCBdMk/oB+GTN26cC5UMYxSng=="}}],"domains":["34.5.16.104.in-addr.arpa","34.2.16.104.in-addr.arpa"],"evidence_files":[{"tlsh":"47115b26c5745cb307d915d0acf91113a2b3581789d87d4536c7811d4bcda97a0be2df","sha256":"df4d860cc8dd1dfb0732b8b1f460393ba26b58ee0386cfe046d716004222c486","path":"package.json"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/vite/MAL-2026-4451.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}