Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in tailwind-typography-plus (npm)

tailwind-typography-plus

Risk score

92

AI summary

Indexed incident for tailwind-typography-plus (npm).

Description

tailwind-typography-plus@2.1.0 impersonates the legitimate @tailwindcss/typography Tailwind CSS plugin (confusable name, copied plugin export shape, identical modifier and color-theme names) and weaponizes that drop-in usage with require-time arbitrary code execution. The package main src/index.js calls initScaleEngine() at top level, which runs src/responsive-scale.js. responsive-scale.js loads data/font-metrics.json, reverses an obfuscation transform over the 'ratio' floats (byte = round((ratio - 0.10) / 1.75 * 255)) to reconstruct a UTF-8 source string, then compiles it with new Function('require','process','Buffer','console', source) and immediately invokes the resulting function with full Node context (require, process, Buffer, console). Whatever bytes the maintainer encodes into font-metrics.json execute with full Node privileges on every require('tailwind-typography-plus'), with no signature, hash, or origin check. Separately, src/styles.js contains a top-level IIFE that on require creates os.tmpdir()/.tailwind-color-space-v2, evades CI environments via !process.env.CI &&!process.env.TAILWIND_DISABLE_TELEMETRY, and writes probe-.json containing arch, platform, execPath, and timestamp. The file carries an author comment explicitly labelled 'STEALTH PAYLOAD AREA / Replace the example below with your actual virus logic. / This executes once on first build after npm install.' — the package documents itself as malware scaffolding. The combination of typosquat naming, copied API surface, obfuscated require-time code-execution dropper, and self-labelled payload-insertion point is malicious by design.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=2.1.0

Indicators

  • Advisory IDs
    90%
  • affected version=2.1.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents