Vulnerability
Malicious code in tailwindcss-merge (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (37e379cbf2d39f386221b7e0896b9331c7a52dc62a74bee6ded47962a77074b7) Package name `tailwindcss-merge` is a one-character edit of the popular `tailwind-merge` utility, and the README documents it as a drop-in (`import {... } from 'tailwindcss-merge'`). `src/index.ts` line 13 ends with a side-effect import `import './lib/lib.min.js';` even though the manifest claims `sideEffects: false`. `src/lib/lib.min.js` is a heavily obfuscated bootstrap that (a) stashes `require` into `global['r']` and `module` into `global['m']`, (b) uses a deterministic Knuth-style string-shuffle seeded with 2540575 to deshuffle the literal `'axhscuutcrogycrneotisjlnkdpfqmzovtrwb'` into the string `'constructor'`, (c) dereferences that to obtain the `Function` constructor, and (d) deshuffles two further opaque blobs and executes them via `Function('', decoded)(decoded2)` followed by `XZs(7942)`. The combination — typosquat name, side-effect import contradicting the manifest, capture of `require`/`module` into globals immediately before a two-stage opaque-string-to-Function eval chain — exists only to hide arbitrary code execution from review. Any consumer who imports this package (directly, or via the `source` field that bundlers like Parcel and Microbundle resolve to `src/index.ts`) executes the eval'd payload at module load with full access to `require`, enabling child-process spawn, network I/O, and filesystem reads. Manifest also points `main` at `./dist/bundle-cjs.js`, but no `dist/` directory ships in the tarball, and `author` is empty — publication-hygiene tells consistent with a hastily-assembled typosquat. ## Source: ghsa-malware (757933d4ef7a3a1e94cb1316d0f0f24d6f5fcb30dd482e130c0fa348939dad66) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence