{"id":"MAL-2026-5487","summary":"Malicious code in tailwind-form (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (37a2959fd43465328b090afd0464e0e3de0e1677ecd2068d4ef05bdfe5867b79)\ntailwind-form is a typosquat of the legitimate @tailwindcss/forms plugin (README and repository field are copied from tailwindlabs/tailwindcss-forms, but the package is published under an unrelated name by an unaffiliated author). The main module src/index.js ends with an eval that fetches https://www.jsonkeeper.com/b/NFTTN via axios and eval's the returned JSON field content_o. Any project that requires this package executes whatever JavaScript is currently hosted at that public, author-mutable paste URL — giving the publisher unconditional remote code execution on every installer's machine at module-load time.\n","modified":"2026-06-09T21:01:36.579297350Z","published":"2026-06-09T20:09:10Z","database_specific":{"malicious-packages-origins":[{"sha256":"37a2959fd43465328b090afd0464e0e3de0e1677ecd2068d4ef05bdfe5867b79","versions":["0.5.12"],"modified_time":"2026-06-09T20:09:10Z","import_time":"2026-06-09T20:45:50.355431299Z","id":"IN-MAL-2026-005189","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tailwind-form/v/0.5.12"}],"affected":[{"package":{"name":"tailwind-form","ecosystem":"npm","purl":"pkg:npm/tailwind-form"},"versions":["0.5.12"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"tailwind-form-0.5.12.tgz","hashes":{"sha1":"d03fcd28cf7f62d08de8cb0da83955d64398304c","sha512_sri":"sha512-GXVtf2BH94DWs/YfdLZ/C/obLbyaWWmjtB3BDjjrXY4xp8sAk0I4r/lw+S//lQlZzcYAQs+qbL5jP2UIkK6pvA=="}}],"evidence_files":[{"sha256":"c7cf538be94011e3ee10d9e5dbe2f7ab85a79522c5775d79008bf063fce23156","tlsh":"23524417e172421f2d73496e91eda9c4e306632b826019a3f8bc54700ffb584aa67e7d","path":"src/index.js"},{"sha256":"26520df5e3ccef49d1c0bd319f809c5d3969916ea9383fff103332aecba08b42","tlsh":"9f219e33cd444e3745b06671e6b80643f287572b9128e84f31fa819c8f766b7d094a5f","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-form/MAL-2026-5487.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}