{"id":"MAL-2026-5935","summary":"Malicious code in tw-theme-kit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0144b9ea6743e481e49885f6375a8aa990e9a20bfc5da1148b7df59a9370736c)\nThe published entrypoints dist/index.cjs and dist/runtime.cjs contain an injected IIFE that assigns `global.r = require` and `global.m = module`, tags the host with campaign id 'A6-Orion-271', uses a string-shuffle helper to reconstruct the identifier 'constructor', then invokes Function() on a deshuffled obfuscated blob and immediately calls the resulting function. Any consumer that does `require('tw-theme-kit')` or `import 'tw-theme-kit/runtime'` triggers attacker-controlled code at load time with full Node capabilities (fs, child_process, net) exposed via the globals. This behavior is unrelated to the package's stated purpose (a Tailwind theme plugin) and matches the fingerprint of the 'Orion' obfuscated-loader campaign. The.mjs builds and source-maps embed the same obfuscated literal, so no entrypoint is safe.\n","modified":"2026-06-16T23:16:56.885859202Z","published":"2026-06-16T22:21:38Z","database_specific":{"malicious-packages-origins":[{"sha256":"0144b9ea6743e481e49885f6375a8aa990e9a20bfc5da1148b7df59a9370736c","import_time":"2026-06-16T23:03:43.703368387Z","id":"IN-MAL-2026-006848","source":"amazon-inspector","versions":["1.1.0"],"modified_time":"2026-06-16T22:21:38Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tw-theme-kit/v/1.1.0"}],"affected":[{"package":{"name":"tw-theme-kit","ecosystem":"npm","purl":"pkg:npm/tw-theme-kit"},"versions":["1.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tw-theme-kit/MAL-2026-5935.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"tw-theme-kit-1.1.0.tgz","hashes":{"sha512_sri":"sha512-wW+MgsdKOTDDfF3ldqEOFH84JJ4fxSXw6bjS6NXhtMTeXkIzuoGsXXKj2vvF58HTQCTQTxQASrYNLF08svZ0+A==","sha1":"190b3a8c76e72928ba27eaeec223ee1dc79563f5"}}],"evidence_files":[{"path":"dist/index.cjs","tlsh":"cc421985b7fa2623007394ed412b8016faa9b1421419f748f9ddd3e80f8a21ec9f57e9","sha256":"ce9e98ae597db38c523eb0141be40b29d462e22edffad6be38b562193ff278e6"},{"path":"dist/runtime.cjs","tlsh":"83e13cc43bf97766217200a5121790067594b1838429f58cedeee3e90fda21f89f8bf9","sha256":"eea38ba44c83cf0fc821802e00dec564f35ba062ce3817517b7c4af41bc4510f"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}