Supply-chain threat intelligence
Risk score
92
Indexed incident for tailwind-animate-v4 (npm).
The package presents itself as a Tailwind CSS animation plugin and reproduces the legitimate tailwindcss-animate source (including its original author metadata) verbatim in index.js. A long whitespace run at the end of the file visually hides an appended obfuscated loader. On require(), the loader permutation-decodes a string to recover the identifiers 'require', 'module', '__dirname', '__filename', and 'undefined', re-installs them on the global object, then resolves the Function constructor indirectly via a String prototype method whose name is produced by string permutation ('constructor'). It then uses Function() to compile and immediately invoke a large opaque decoded payload (uwg(4261)). This is dynamic execution of an obfuscated blob at library-load time, delivered under a name that mimics the widely used tailwindcss-animate package. Any project that adds this dependency and requires it will execute the hidden payload in the developer/build process, with full access to environment variables, filesystem, and network.
Affected versions
Indicators
Timeline