{"id":"MAL-2026-4452","summary":"Malicious code in @tailwind-core/webpack (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3)\nPackage `@tailwind-core/webpack` impersonates the legitimate Tailwind v4 webpack loader `@tailwindcss/webpack`. The README copies Tailwind Labs branding by linking logo assets at `raw.githubusercontent.com/tailwindlabs/tailwind-core/HEAD/.github/logo-light.svg` and claims a `tailwind-core.com` homepage, while the actual repo is `QaLemos/tailwind-core` (not Tailwind Labs). The loader code itself is a faithful copy of the upstream loader and performs no direct network or credential activity, but `package.json` pins three sibling typosquats as dependencies (`tailwind-core@4.3.0`, `@tailwind-core/node@4.3.0`, `@tailwind-core/oxide@4.3.0`), all sharing the same impersonated namespace and identical version. Installing this package transitively pulls those sibling packages into the installer's dependency tree, which is the namespace-abuse delivery vector — the lure looks like the official Tailwind v4 webpack loader and silently brings attacker-controlled siblings along.\n","modified":"2026-05-27T00:32:06.797463745Z","published":"2026-05-20T01:16:03Z","withdrawn":"2026-05-26T20:46:07Z","database_specific":{"malicious-packages-origins":[{"sha256":"037a86564830bb02e1e68c91bcac017a5eee7139f1e6badf5053da1ed429f5fa","modified_time":"2026-05-20T01:16:04Z","import_time":"2026-05-26T05:50:28.71858756Z","id":"IN-MAL-2026-003352","versions":["4.3.0"],"source":"amazon-inspector"},{"sha256":"7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3","modified_time":"2026-05-20T01:16:03Z","import_time":"2026-05-26T05:50:28.593514418Z","id":"IN-MAL-2026-003351","versions":["4.3.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@tailwind-core/webpack/v/4.3.0"}],"affected":[{"package":{"name":"@tailwind-core/webpack","ecosystem":"npm","purl":"pkg:npm/%40tailwind-core%2Fwebpack"},"versions":["4.3.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"70115922c1745d7306d811d098e91227a2b78c174d987d493ac3811d4bccaeb62bf6df","sha256":"cde9e55dbf1eb1163e7472ccaa1431f68351568ec1a2c564b8846801d9c7d22a","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"f79a49a15aa02eee6c9bd9519f65a0da2ed1fa37","sha512_sri":"sha512-xijZYl0KlTwa/3EERsPtypj8btE8Mrr1Y9hOJHyurr6sZlR0VijnMGvmYx2e3taMJZo4pBJzGtDdLWOdAPc92Q=="},"filename":"webpack-4.3.0.tgz"}],"domains":["34.10.16.104.in-addr.arpa","34.6.16.104.in-addr.arpa"]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tailwind-core/webpack/MAL-2026-4452.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}