{"id":"MAL-2026-5618","summary":"Malicious code in tailwind-animator-scroll (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f89c3c4c01375bc7baef213c815a901ac3947eaf3835aa80ea67a725ece8d533)\nThe package's main entry src/index.js appends, after a large whitespace gap following the legitimate-looking Tailwind plugin code, an eval(atob('Z2xvYmFsWychJ109JzExJzt2YXIgXyRfMWU0Mj0...')) call. The decoded first stage re-exposes Node's require and module as global aliases (global['c']=require, etc. — typo-style obfuscation) and then invokes a second-stage IIFE that uses a custom shuffle decoder plus the Function() constructor to assemble and execute a further opaque payload. Because this lives in the main entry, simply adding the plugin to tailwind.config.js executes attacker-controlled code inside the developer's build environment, where CI tokens, environment variables, source code, and credentials are all reachable. The package additionally impersonates the legitimate tailwindcss-animationfound plugin: the README copies its CSS class names and API surface verbatim, the install snippet uses yet another misspelling (`tailwind-animatior-scroll`), and a shields.io badge links to the real tailwindcss-animationfound package — a typosquat lure designed to catch developers who mistype or fuzzy-search for the legitimate plugin.\n","modified":"2026-06-11T08:01:32.823212418Z","published":"2026-06-11T07:39:13Z","database_specific":{"malicious-packages-origins":[{"versions":["1.7.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005708","modified_time":"2026-06-11T07:39:14Z","sha256":"ba3df97ff156b8e1e30b41be70b8a14bf5ca95949640fb51a96b3369231cf372","import_time":"2026-06-11T07:49:43.362789663Z"},{"versions":["1.7.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005707","modified_time":"2026-06-11T07:39:13Z","sha256":"f89c3c4c01375bc7baef213c815a901ac3947eaf3835aa80ea67a725ece8d533","import_time":"2026-06-11T07:49:43.287752429Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tailwind-animator-scroll/v/1.7.0"}],"affected":[{"package":{"name":"tailwind-animator-scroll","ecosystem":"npm","purl":"pkg:npm/tailwind-animator-scroll"},"versions":["1.7.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tailwind-animator-scroll/MAL-2026-5618.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-YoFQuHpuiAnaObIxKPzhSel08QDua0zioYtHR/6ht/xYet/yY2BWkoopBEJSUu0C7hF6yRgjmaDK79eZ1imNcw==","sha1":"3be855c4d14422515df31cec629dcfc37f1ab92f"},"filename":"tailwind-animator-scroll-1.7.0.tgz"}],"evidence_files":[{"path":"src/index.js","tlsh":"cef18db1bf9054bad34b634342686a09101b9d4e0c5c1cd9778ccc9a0fa9f118b6dfad","sha256":"0a80cc4b7c4b222c859f83d9233174528a30bd7e763c11843199c9672849d1cb"},{"path":"README.md","tlsh":"6df1ffd3b12a273903a38273129f2811ccf659c5f1295ca9bdbd412d97b9938932f279","sha256":"70d0982e278abaf01c3dea7398b2ecba083091cb7a07d7a9481a8368e031ca86"}],"domains":["api.trongrid.io","bsc-dataseed.binance.org","fullnode.mainnet.aptoslabs.com","bootstrap.pypa.io"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}