OSV-MAL-2026-5637

Malicious code in tailwindcss-animotion (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (774c1b953da3225f63374a2054512d7715ce872f4a82278fc0954fe3133e7e0b) The package's main entry (dist/index.cjs, with the same code in src/utils/helper.min.js) aliases `require` to `global.r` and `module` to `global.m`, then deobfuscates two large opaque strings via a custom character-shuffle routine and passes the result to a dynamically-resolved Function constructor (`AQq = YWG[OSN]` where OSN resolves to 'constructor'). The constructed function is invoked immediately at module load (`XZs(7942)`). Any consumer that references this package from tailwind.config.js or otherwise `require()`s it will execute the runtime-decoded code with full Node privileges and a pre-aliased `require`. A Tailwind CSS plugin (a declarative class generator) has no legitimate need for runtime code generation, global require injection, or multi-layer string obfuscation. The combination of import-time Function() execution, `global.r=require` aliasing, and custom-shuffle obfuscation of the executed bytes is the canonical shape of a dropper designed to evade static review. ## Source: ghsa-malware (96413f4c88df11bc7b9783884da8c9c18d04f8b37134ca1f8891551def09e788) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.