The package's main entry (dist/index.cjs, with the same code in src/utils/helper.min.js) aliases require to global.r and module to global.m, then deobfuscates two large opaque strings via a custom character-shuffle routine and passes the result to a dynamically-resolved Function constructor (AQq = YWG[OSN] where OSN resolves to 'constructor'). The constructed function is invoked immediately at module load (XZs(7942)). Any consumer that references this package from tailwind.config.js or otherwise require()s it will execute the runtime-decoded code with full Node privileges and a pre-aliased require. A Tailwind CSS plugin (a declarative class generator) has no legitimate need for runtime code generation, global require injection, or multi-layer string obfuscation. The combination of import-time Function() execution, global.r=require aliasing, and custom-shuffle obfuscation of the executed bytes is the canonical shape of a dropper designed to evade static review.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.