Package name tailwindcss-merge is a one-character edit of the popular tailwind-merge utility, and the README documents it as a drop-in (import {... } from 'tailwindcss-merge'). src/index.ts line 13 ends with a side-effect import import './lib/lib.min.js'; even though the manifest claims sideEffects: false. src/lib/lib.min.js is a heavily obfuscated bootstrap that (a) stashes require into global['r'] and module into global['m'], (b) uses a deterministic Knuth-style string-shuffle seeded with 2540575 to deshuffle the literal 'axhscuutcrogycrneotisjlnkdpfqmzovtrwb' into the string 'constructor', (c) dereferences that to obtain the Function constructor, and (d) deshuffles two further opaque blobs and executes them via Function('', decoded)(decoded2) followed by XZs(7942). The combination — typosquat name, side-effect import contradicting the manifest, capture of require/module into globals immediately before a two-stage opaque-string-to-Function eval chain — exists only to hide arbitrary code execution from review. Any consumer who imports this package (directly, or via the source field that bundlers like Parcel and Microbundle resolve to src/index.ts) executes the eval'd payload at module load with full access to require, enabling child-process spawn, network I/O, and filesystem reads. Manifest also points main at ./dist/bundle-cjs.js, but no dist/ directory ships in the tarball, and author is empty — publication-hygiene tells consistent with a hastily-assembled typosquat.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.